{"alert": {"alert_id": "A-EVAL-c-90000", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:08:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.84"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90000}
{"alert": {"alert_id": "A-EVAL-c-90001", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 1 event(s); first=edr.behavior_match", "host": "host-032", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T22:52:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-8836", "host": "host-032"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90001}
{"alert": {"alert_id": "A-EVAL-c-90002", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 1 event(s); first=edr.behavior_match", "host": "host-008", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T16:56:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-3486", "host": "host-008"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90002}
{"alert": {"alert_id": "A-EVAL-c-90003", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:32:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.115", "port": 23}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90003}
{"alert": {"alert_id": "A-EVAL-c-90004", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T15:26:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "198.51.100.42", "interval_s": 60}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90004}
{"alert": {"alert_id": "A-EVAL-c-90005", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 1 event(s); first=edr.behavior_match", "host": "host-024", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:27:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-1989", "host": "host-024"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90005}
{"alert": {"alert_id": "A-EVAL-c-90006", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:41:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:41:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:41:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "alice", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90006}
{"alert": {"alert_id": "A-EVAL-c-90007", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:57:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.103", "port": 23}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90007}
{"alert": {"alert_id": "A-EVAL-c-90008", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:25:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.83", "port": 22}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90008}
{"alert": {"alert_id": "A-EVAL-c-90009", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T20:22:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.197.13", "interval_s": 30}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90009}
{"alert": {"alert_id": "A-EVAL-c-90010", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:48:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.146", "port": 445}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90010}
{"alert": {"alert_id": "A-EVAL-c-90011", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T19:21:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "winword.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:21:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90011}
{"alert": {"alert_id": "A-EVAL-c-90012", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=auth.login_success", "host": "host-001", "user": "erin"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T15:22:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "erin", "src_ip": "10.0.0.199"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90012}
{"alert": {"alert_id": "A-EVAL-c-90013", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T15:13:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T15:13:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T15:13:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "alice", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90013}
{"alert": {"alert_id": "A-EVAL-c-90014", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:39:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:39:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90014}
{"alert": {"alert_id": "A-EVAL-c-90015", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:07:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "198.51.100.42", "interval_s": 60}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90015}
{"alert": {"alert_id": "A-EVAL-c-90016", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:36:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.245", "port": 3389}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90016}
{"alert": {"alert_id": "A-EVAL-c-90017", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:25:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "winword.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:25:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90017}
{"alert": {"alert_id": "A-EVAL-c-90018", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:05:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:05:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90018}
{"alert": {"alert_id": "A-EVAL-c-90019", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:11:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "198.51.100.42", "interval_s": 30}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90019}
{"alert": {"alert_id": "A-EVAL-c-90020", "category": "brute_force", "severity": "medium", "summary": "brute_force: 5 event(s); first=auth.login_failure", "host": "host-001", "user": "admin"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:13:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.96"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:13:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.202"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:13:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.20"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T13:13:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.117"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T13:13:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.92"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90020}
{"alert": {"alert_id": "A-EVAL-c-90021", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T18:55:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "carol"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90021}
{"alert": {"alert_id": "A-EVAL-c-90022", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:02:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90022}
{"alert": {"alert_id": "A-EVAL-c-90023", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:32:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:32:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90023}
{"alert": {"alert_id": "A-EVAL-c-90024", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:27:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.top/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90024}
{"alert": {"alert_id": "A-EVAL-c-90025", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:44:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.cn/secure", "user": "carol"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90025}
{"alert": {"alert_id": "A-EVAL-c-90026", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:17:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.37.205", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90026}
{"alert": {"alert_id": "A-EVAL-c-90027", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:37:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.207.226", "interval_s": 30}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90027}
{"alert": {"alert_id": "A-EVAL-c-90028", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:07:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.168.29", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90028}
{"alert": {"alert_id": "A-EVAL-c-90029", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:21:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.click/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90029}
{"alert": {"alert_id": "A-EVAL-c-90030", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T17:29:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.53.239", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90030}
{"alert": {"alert_id": "A-EVAL-c-90031", "category": "brute_force", "severity": "medium", "summary": "brute_force: 8 event(s); first=auth.login_failure", "host": "host-001", "user": "root"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:02:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.204"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:02:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.157"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T04:02:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.181"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T04:02:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.76"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T04:02:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.90"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T04:02:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.42"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T04:02:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.9"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T04:02:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.115"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90031}
{"alert": {"alert_id": "A-EVAL-c-90032", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T16:29:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.172", "port": 22}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90032}
{"alert": {"alert_id": "A-EVAL-c-90033", "category": "brute_force", "severity": "medium", "summary": "brute_force: 5 event(s); first=auth.login_failure", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T17:32:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.215"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:32:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.187"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:32:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.178"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:32:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.194"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T17:32:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.93"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90033}
{"alert": {"alert_id": "A-EVAL-c-90034", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:36:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.21"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90034}
{"alert": {"alert_id": "A-EVAL-c-90035", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:08:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.98.8", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90035}
{"alert": {"alert_id": "A-EVAL-c-90036", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T20:29:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.20.241", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90036}
{"alert": {"alert_id": "A-EVAL-c-90037", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:41:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.226", "port": 22}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90037}
{"alert": {"alert_id": "A-EVAL-c-90038", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 1 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:08:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.140", "port": 22}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90038}
{"alert": {"alert_id": "A-EVAL-c-90039", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 1 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T20:51:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 90}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90039}
{"alert": {"alert_id": "A-EVAL-c-90040", "category": "brute_force", "severity": "medium", "summary": "brute_force: 7 event(s); first=auth.login_failure", "host": "host-001", "user": "service_acct"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:30:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.155"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:30:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.15"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T21:30:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.177"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T21:30:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.155"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T21:30:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.10"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T21:30:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.210"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T21:30:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.170"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90040}
{"alert": {"alert_id": "A-EVAL-c-90041", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 1 event(s); first=edr.behavior_match", "host": "host-037", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:41:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-3099", "host": "host-037"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90041}
{"alert": {"alert_id": "A-EVAL-c-90042", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:10:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.187"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90042}
{"alert": {"alert_id": "A-EVAL-c-90043", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 1 event(s); first=edr.behavior_match", "host": "host-004", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T18:36:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-8741", "host": "host-004"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90043}
{"alert": {"alert_id": "A-EVAL-c-90044", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 1 event(s); first=edr.behavior_match", "host": "host-037", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:00:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-2644", "host": "host-037"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90044}
{"alert": {"alert_id": "A-EVAL-c-90045", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:33:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.xyz/secure", "user": "carol"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90045}
{"alert": {"alert_id": "A-EVAL-c-90046", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 1 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:27:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.38"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90046}
{"alert": {"alert_id": "A-EVAL-c-90047", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:55:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:55:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90047}
{"alert": {"alert_id": "A-EVAL-c-90048", "category": "phishing", "severity": "high", "summary": "phishing: 1 event(s); first=email.link_clicked", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:43:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.click/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90048}
{"alert": {"alert_id": "A-EVAL-c-90049", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:32:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:32:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:32:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage1_basic", "seed": 90049}
{"alert": {"alert_id": "A-EVAL-i-91000", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T21:23:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.61.71", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:28:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.76"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91000}
{"alert": {"alert_id": "A-EVAL-i-91001", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:58:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:16:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.120"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91001}
{"alert": {"alert_id": "A-EVAL-i-91002", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 2 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:47:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.103", "port": 22}}, {"log_id": "L1-1", "timestamp": "2026-04-25T15:10:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91002}
{"alert": {"alert_id": "A-EVAL-i-91003", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:42:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.162"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T16:50:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-2571", "host": "host-001"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91003}
{"alert": {"alert_id": "A-EVAL-i-91004", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 2 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:11:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:32:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.66"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91004}
{"alert": {"alert_id": "A-EVAL-i-91005", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:25:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.38"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:01:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.118.97", "bytes_out": 7455}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91005}
{"alert": {"alert_id": "A-EVAL-i-91006", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=edr.behavior_match", "host": "host-005", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:57:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-3238", "host": "host-005"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:58:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.240"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91006}
{"alert": {"alert_id": "A-EVAL-i-91007", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:16:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:44:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-2430", "host": "host-020"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91007}
{"alert": {"alert_id": "A-EVAL-i-91008", "category": "brute_force", "severity": "medium", "summary": "brute_force: 8 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:11:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.101.112", "bytes_out": 73324}}, {"log_id": "L1-1", "timestamp": "2026-04-25T14:47:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.76"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T14:47:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.196"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T14:47:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.242"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T14:47:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.243"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T14:47:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.100"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T14:47:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.155"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T14:47:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.43"}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91008}
{"alert": {"alert_id": "A-EVAL-i-91009", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:53:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.xyz/secure", "user": "carol"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:34:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91009}
{"alert": {"alert_id": "A-EVAL-i-91010", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 2 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T15:47:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:29:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.236.134", "bytes_out": 97110}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91010}
{"alert": {"alert_id": "A-EVAL-i-91011", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "erin"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T14:20:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "erin", "src_ip": "10.0.0.165"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:52:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91011}
{"alert": {"alert_id": "A-EVAL-i-91012", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "erin"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:01:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "erin", "src_ip": "10.0.0.138"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T10:43:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.113.145", "bytes_out": 53554}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91012}
{"alert": {"alert_id": "A-EVAL-i-91013", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T16:34:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T16:34:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:23:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91013}
{"alert": {"alert_id": "A-EVAL-i-91014", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:01:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.89.114", "bytes_out": 41773}}, {"log_id": "L1-1", "timestamp": "2026-04-25T16:24:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91014}
{"alert": {"alert_id": "A-EVAL-i-91015", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 2 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:29:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.175.84", "bytes_out": 38363}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:55:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "185.220.101.7", "interval_s": 30}}], "ground_truth": "block_ip", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91015}
{"alert": {"alert_id": "A-EVAL-i-91016", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 4 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:32:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T07:32:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T07:32:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T15:31:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91016}
{"alert": {"alert_id": "A-EVAL-i-91017", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:36:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.4"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T07:24:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.216.132", "interval_s": 30}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91017}
{"alert": {"alert_id": "A-EVAL-i-91018", "category": "brute_force", "severity": "medium", "summary": "brute_force: 10 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:44:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:52:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.188"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T18:52:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.68"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:52:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.160"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T18:52:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.52"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T18:52:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.131"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T18:52:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.186"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T18:52:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.32"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T18:52:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.179"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T18:52:40Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.50"}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91018}
{"alert": {"alert_id": "A-EVAL-i-91019", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:52:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.47.3", "bytes_out": 24567}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:38:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-6859", "host": "host-028"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91019}
{"alert": {"alert_id": "A-EVAL-i-91020", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:37:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.172"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:28:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.76.101", "bytes_out": 43684}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91020}
{"alert": {"alert_id": "A-EVAL-i-91021", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=email.link_clicked", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:07:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.cn/secure", "user": "bob"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:48:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.138"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91021}
{"alert": {"alert_id": "A-EVAL-i-91022", "category": "brute_force", "severity": "medium", "summary": "brute_force: 10 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:22:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.2"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:58:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.78"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T21:58:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.215"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T21:58:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.21"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T21:58:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.107"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T21:58:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.206"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T21:58:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.39"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T21:58:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.93"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T21:58:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.243"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T21:58:40Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.77"}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91022}
{"alert": {"alert_id": "A-EVAL-i-91023", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:19:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.cn/secure", "user": "carol"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:30:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91023}
{"alert": {"alert_id": "A-EVAL-i-91024", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 2 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:00:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.224", "port": 445}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:25:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91024}
{"alert": {"alert_id": "A-EVAL-i-91025", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:18:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.156"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:43:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-1975", "host": "host-049"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91025}
{"alert": {"alert_id": "A-EVAL-i-91026", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:22:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.199"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:40:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.69.150", "interval_s": 30}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91026}
{"alert": {"alert_id": "A-EVAL-i-91027", "category": "brute_force", "severity": "medium", "summary": "brute_force: 9 event(s); first=auth.login_failure", "host": "host-001", "user": "root"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:57:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.157"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:57:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.164"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T01:57:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.135"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T01:57:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.14"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T01:57:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.113"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T01:57:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.164"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T01:57:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.12"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T01:57:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.177"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T19:02:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.113.145", "bytes_out": 56141}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91027}
{"alert": {"alert_id": "A-EVAL-i-91028", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:59:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.208"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:57:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.15", "port": 22}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91028}
{"alert": {"alert_id": "A-EVAL-i-91029", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 4 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T15:02:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T15:02:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T15:02:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "alice", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:16:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.10"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91029}
{"alert": {"alert_id": "A-EVAL-i-91030", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:58:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.187"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:09:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91030}
{"alert": {"alert_id": "A-EVAL-i-91031", "category": "brute_force", "severity": "medium", "summary": "brute_force: 7 event(s); first=auth.login_failure", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:33:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.206"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T10:33:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.194"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T10:33:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.51"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T10:33:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.189"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T10:33:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.236"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T10:33:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.198"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T22:04:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.92.118", "bytes_out": 37795}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91031}
{"alert": {"alert_id": "A-EVAL-i-91032", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 2 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:59:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "198.51.100.42", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:53:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91032}
{"alert": {"alert_id": "A-EVAL-i-91033", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 4 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:27:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:27:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T01:27:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T12:06:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91033}
{"alert": {"alert_id": "A-EVAL-i-91034", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:01:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:04:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.top/secure", "user": "carol"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91034}
{"alert": {"alert_id": "A-EVAL-i-91035", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 2 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T14:43:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.177", "port": 3389}}, {"log_id": "L1-1", "timestamp": "2026-04-25T14:58:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.88"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91035}
{"alert": {"alert_id": "A-EVAL-i-91036", "category": "brute_force", "severity": "medium", "summary": "brute_force: 9 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:24:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.115.186", "bytes_out": 56648}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:57:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.114"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T11:57:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.12"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T11:57:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.200"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T11:57:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.21"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T11:57:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.241"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T11:57:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.18"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T11:57:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.205"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T11:57:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.148"}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91036}
{"alert": {"alert_id": "A-EVAL-i-91037", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 2 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:54:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.137.186", "bytes_out": 37324}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:23:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.96", "port": 5985}}], "ground_truth": "monitor", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91037}
{"alert": {"alert_id": "A-EVAL-i-91038", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:00:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.239"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:37:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-2737", "host": "host-041"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91038}
{"alert": {"alert_id": "A-EVAL-i-91039", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T19:09:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "excel.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:09:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:53:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.71.10", "bytes_out": 25773}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91039}
{"alert": {"alert_id": "A-EVAL-i-91040", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 2 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:09:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.168.133", "bytes_out": 96660}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:31:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-9974", "host": "host-015"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91040}
{"alert": {"alert_id": "A-EVAL-i-91041", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:19:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.99"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:36:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.118"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91041}
{"alert": {"alert_id": "A-EVAL-i-91042", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:30:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.51"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T10:03:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.41.43", "bytes_out": 90697}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91042}
{"alert": {"alert_id": "A-EVAL-i-91043", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=email.link_clicked", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:04:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "bob"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:00:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.133.149", "bytes_out": 74626}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91043}
{"alert": {"alert_id": "A-EVAL-i-91044", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T14:27:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "winword.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T14:27:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T21:25:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.234.16", "bytes_out": 56683}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91044}
{"alert": {"alert_id": "A-EVAL-i-91045", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 2 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:16:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:06:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "erin", "src_ip": "10.0.0.102"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91045}
{"alert": {"alert_id": "A-EVAL-i-91046", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:24:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:24:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:39:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91046}
{"alert": {"alert_id": "A-EVAL-i-91047", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:19:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.2"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:05:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T02:05:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-3", "timestamp": "2026-04-25T02:05:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "alice", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91047}
{"alert": {"alert_id": "A-EVAL-i-91048", "category": "phishing", "severity": "high", "summary": "phishing: 2 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:25:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.225"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:09:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "bob"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-1", "stage": "stage2_multi", "seed": 91048}
{"alert": {"alert_id": "A-EVAL-i-91049", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 4 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:25:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T07:25:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T07:25:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T07:33:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.129.209", "bytes_out": 98352}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage2_multi", "seed": 91049}
{"alert": {"alert_id": "A-EVAL-d-92000", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:39:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.81.214", "bytes_out": 86290}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:39:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.138.227", "bytes_out": 53711}}, {"log_id": "L1-2", "timestamp": "2026-04-25T16:45:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.244.186", "interval_s": 90}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92000}
{"alert": {"alert_id": "A-EVAL-d-92001", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=edr.behavior_match", "host": "host-013", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:29:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-6020", "host": "host-013"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T15:02:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T15:02:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.40"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92001}
{"alert": {"alert_id": "A-EVAL-d-92002", "category": "brute_force", "severity": "medium", "summary": "brute_force: 11 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:26:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:26:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.15"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:47:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.78"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T09:47:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.140"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T09:47:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.19"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T09:47:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.222"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T09:47:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.194"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T09:47:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.217"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T09:47:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.118"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T09:47:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.243"}}, {"log_id": "L1-10", "timestamp": "2026-04-25T09:47:40Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "alice", "src_ip": "203.0.113.128"}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92002}
{"alert": {"alert_id": "A-EVAL-d-92003", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:19:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.29"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:19:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T05:05:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.153.44", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92003}
{"alert": {"alert_id": "A-EVAL-d-92004", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:51:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.64"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:51:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.217.73", "bytes_out": 81935}}, {"log_id": "L1-2", "timestamp": "2026-04-25T06:31:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.102"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92004}
{"alert": {"alert_id": "A-EVAL-d-92005", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T17:40:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.119"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:31:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.72"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:31:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92005}
{"alert": {"alert_id": "A-EVAL-d-92006", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:22:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.27.65", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:04:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.5"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:04:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.21"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92006}
{"alert": {"alert_id": "A-EVAL-d-92007", "category": "phishing", "severity": "high", "summary": "phishing: 3 event(s); first=email.link_clicked", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:41:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.click/secure", "user": "alice"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:12:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.155"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:12:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.110.178", "bytes_out": 81663}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92007}
{"alert": {"alert_id": "A-EVAL-d-92008", "category": "brute_force", "severity": "medium", "summary": "brute_force: 9 event(s); first=auth.login_failure", "host": "host-001", "user": "admin"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:16:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.246"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T10:16:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.19"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T10:16:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.127"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T10:16:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.239"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T10:16:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.245"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T10:16:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.95"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T10:16:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.8"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T11:36:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T11:36:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92008}
{"alert": {"alert_id": "A-EVAL-d-92009", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=edr.behavior_match", "host": "host-048", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:11:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-7103", "host": "host-048"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:26:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.199.133", "bytes_out": 61417}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:26:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.18.3", "bytes_out": 43751}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92009}
{"alert": {"alert_id": "A-EVAL-d-92010", "category": "brute_force", "severity": "medium", "summary": "brute_force: 8 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:35:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.212"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:35:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.165"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T14:59:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.7"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T14:59:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.168"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T14:59:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.196"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T14:59:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.201"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T14:59:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.134"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T14:59:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.155"}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92010}
{"alert": {"alert_id": "A-EVAL-d-92011", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:46:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T05:46:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.188"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T07:31:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.214.180", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92011}
{"alert": {"alert_id": "A-EVAL-d-92012", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:29:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.77.83", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:56:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:56:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92012}
{"alert": {"alert_id": "A-EVAL-d-92013", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:31:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:31:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.194"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:13:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.146"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92013}
{"alert": {"alert_id": "A-EVAL-d-92014", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=edr.behavior_match", "host": "host-036", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:21:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-6406", "host": "host-036"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:50:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:50:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.157"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92014}
{"alert": {"alert_id": "A-EVAL-d-92015", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:55:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.154"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T12:55:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T15:23:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T15:23:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92015}
{"alert": {"alert_id": "A-EVAL-d-92016", "category": "phishing", "severity": "high", "summary": "phishing: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:35:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:35:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T07:28:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.top/secure", "user": "bob"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92016}
{"alert": {"alert_id": "A-EVAL-d-92017", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:55:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.209", "port": 23}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:21:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.31"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T21:21:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.105"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92017}
{"alert": {"alert_id": "A-EVAL-d-92018", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:44:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.18.129", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:48:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.196"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:48:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.199"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92018}
{"alert": {"alert_id": "A-EVAL-d-92019", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:32:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:32:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T11:53:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.29"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T11:53:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92019}
{"alert": {"alert_id": "A-EVAL-d-92020", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:31:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.23"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:31:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.185.79", "bytes_out": 99042}}, {"log_id": "L1-2", "timestamp": "2026-04-25T04:34:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-6598", "host": "host-015"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92020}
{"alert": {"alert_id": "A-EVAL-d-92021", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 5 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:53:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:53:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:53:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T08:51:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T08:51:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92021}
{"alert": {"alert_id": "A-EVAL-d-92022", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:52:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "winword.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:52:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:29:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:29:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.73.182", "bytes_out": 39371}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92022}
{"alert": {"alert_id": "A-EVAL-d-92023", "category": "phishing", "severity": "high", "summary": "phishing: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:46:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T08:46:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.224"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:39:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.click/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92023}
{"alert": {"alert_id": "A-EVAL-d-92024", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:09:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:09:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.133.148", "bytes_out": 62360}}, {"log_id": "L1-2", "timestamp": "2026-04-25T16:15:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.19", "port": 3389}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92024}
{"alert": {"alert_id": "A-EVAL-d-92025", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:30:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.20"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T21:44:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T21:44:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.191.149", "bytes_out": 1805}}], "ground_truth": "dismiss", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92025}
{"alert": {"alert_id": "A-EVAL-d-92026", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:29:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:29:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.46"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T22:52:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.204.226", "interval_s": 90}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92026}
{"alert": {"alert_id": "A-EVAL-d-92027", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:38:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.41", "port": 445}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:02:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.177"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:02:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.21"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92027}
{"alert": {"alert_id": "A-EVAL-d-92028", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:44:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.150"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T00:44:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.133.210", "bytes_out": 16795}}, {"log_id": "L1-2", "timestamp": "2026-04-25T16:35:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.87", "port": 23}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92028}
{"alert": {"alert_id": "A-EVAL-d-92029", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:12:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.204.114", "interval_s": 30}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:16:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.37.53", "bytes_out": 60842}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:16:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.83"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92029}
{"alert": {"alert_id": "A-EVAL-d-92030", "category": "brute_force", "severity": "medium", "summary": "brute_force: 7 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:26:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:26:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T22:17:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.56"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T22:17:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.115"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T22:17:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.185"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T22:17:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.219"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T22:17:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.84"}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92030}
{"alert": {"alert_id": "A-EVAL-d-92031", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T20:19:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.75.48", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:19:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.63"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T22:19:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.241.206", "bytes_out": 39375}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92031}
{"alert": {"alert_id": "A-EVAL-d-92032", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:00:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:00:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.103"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T15:15:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-7716", "host": "host-030"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92032}
{"alert": {"alert_id": "A-EVAL-d-92033", "category": "phishing", "severity": "high", "summary": "phishing: 3 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:52:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.click/secure", "user": "carol"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:37:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.104"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:37:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.111"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92033}
{"alert": {"alert_id": "A-EVAL-d-92034", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:31:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.54.115", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:23:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:23:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.216"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92034}
{"alert": {"alert_id": "A-EVAL-d-92035", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:08:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.73.13", "bytes_out": 81140}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:08:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.121"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:31:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.250", "port": 3389}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92035}
{"alert": {"alert_id": "A-EVAL-d-92036", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:37:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.248"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:37:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.30.178", "bytes_out": 75937}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:32:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:32:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92036}
{"alert": {"alert_id": "A-EVAL-d-92037", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:13:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.225"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:13:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T06:43:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T06:43:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92037}
{"alert": {"alert_id": "A-EVAL-d-92038", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 5 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:02:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:02:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.17.156", "bytes_out": 25037}}, {"log_id": "L1-2", "timestamp": "2026-04-25T22:14:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T22:14:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-4", "timestamp": "2026-04-25T22:14:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92038}
{"alert": {"alert_id": "A-EVAL-d-92039", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 3 event(s); first=edr.behavior_match", "host": "host-045", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:35:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-9921", "host": "host-045"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:02:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T18:02:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.112"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92039}
{"alert": {"alert_id": "A-EVAL-d-92040", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:07:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.60", "port": 22}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:35:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.84.112", "bytes_out": 91827}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:35:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.155"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92040}
{"alert": {"alert_id": "A-EVAL-d-92041", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 5 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:12:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.74"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T10:12:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T16:58:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T16:58:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-4", "timestamp": "2026-04-25T16:58:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "alice", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92041}
{"alert": {"alert_id": "A-EVAL-d-92042", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:33:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "185.220.101.7", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:37:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:37:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.48.244", "bytes_out": 6590}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92042}
{"alert": {"alert_id": "A-EVAL-d-92043", "category": "phishing", "severity": "high", "summary": "phishing: 3 event(s); first=email.link_clicked", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:59:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.cn/secure", "user": "bob"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:48:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.170.227", "bytes_out": 65651}}, {"log_id": "L1-2", "timestamp": "2026-04-25T18:48:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.170"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92043}
{"alert": {"alert_id": "A-EVAL-d-92044", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 3 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:05:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.51.71", "bytes_out": 78203}}, {"log_id": "L1-1", "timestamp": "2026-04-25T12:05:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.153.54", "bytes_out": 38076}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:47:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "185.220.101.7", "interval_s": 60}}], "ground_truth": "block_ip", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92044}
{"alert": {"alert_id": "A-EVAL-d-92045", "category": "brute_force", "severity": "medium", "summary": "brute_force: 10 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:00:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:00:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.126.79", "bytes_out": 71668}}, {"log_id": "L1-2", "timestamp": "2026-04-25T11:11:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.15"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T11:11:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.47"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T11:11:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.136"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T11:11:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.210"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T11:11:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.120"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T11:11:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.132"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T11:11:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.198"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T11:11:35Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.37"}}], "ground_truth": "monitor", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92045}
{"alert": {"alert_id": "A-EVAL-d-92046", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 3 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:42:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.207.47", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:53:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.184"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:53:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92046}
{"alert": {"alert_id": "A-EVAL-d-92047", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:36:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.130"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T12:36:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.164.13", "bytes_out": 94453}}, {"log_id": "L1-2", "timestamp": "2026-04-25T16:44:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "excel.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T16:44:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92047}
{"alert": {"alert_id": "A-EVAL-d-92048", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 3 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:09:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.235", "port": 23}}, {"log_id": "L1-1", "timestamp": "2026-04-25T16:41:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.12"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T16:41:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.154"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage3_mixed", "seed": 92048}
{"alert": {"alert_id": "A-EVAL-d-92049", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:12:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.52"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T00:12:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.202.40", "bytes_out": 80520}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:55:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "excel.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T19:55:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-2", "stage": "stage3_mixed", "seed": 92049}
{"alert": {"alert_id": "A-EVAL-l-93000", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:15:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.72.10", "interval_s": 30}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:39:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.28"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:39:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.23.160", "bytes_out": 38043}}, {"log_id": "L1-3", "timestamp": "2026-04-25T09:39:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.108.241", "bytes_out": 36859}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93000}
{"alert": {"alert_id": "A-EVAL-l-93001", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:47:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "185.220.101.7", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:14:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.183.125", "bytes_out": 92358}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:14:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T13:14:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.80.164", "bytes_out": 75352}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93001}
{"alert": {"alert_id": "A-EVAL-l-93002", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:30:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.244.83", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T08:04:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T08:04:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T08:04:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.243"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93002}
{"alert": {"alert_id": "A-EVAL-l-93003", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:56:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "185.220.101.7", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:25:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.70"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:25:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.170"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:25:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.148.248", "bytes_out": 71310}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93003}
{"alert": {"alert_id": "A-EVAL-l-93004", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:55:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.144"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:38:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:38:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T19:38:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93004}
{"alert": {"alert_id": "A-EVAL-l-93005", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:11:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:11:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.196"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:11:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.153.118", "bytes_out": 9827}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:44:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-5070", "host": "host-033"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93005}
{"alert": {"alert_id": "A-EVAL-l-93006", "category": "phishing", "severity": "high", "summary": "phishing: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:22:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.58.243", "bytes_out": 57937}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:22:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T02:22:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.143"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T14:05:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.top/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93006}
{"alert": {"alert_id": "A-EVAL-l-93007", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:17:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:17:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.123"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T02:17:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.63.14", "bytes_out": 64586}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:42:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.118.149", "interval_s": 30}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93007}
{"alert": {"alert_id": "A-EVAL-l-93008", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 5 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:51:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:51:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T11:51:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.248"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T16:22:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "winword.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T16:22:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93008}
{"alert": {"alert_id": "A-EVAL-l-93009", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 5 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T17:50:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:50:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\svc.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:51:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.227"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T19:51:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.182"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T19:51:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.180.11", "bytes_out": 27276}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93009}
{"alert": {"alert_id": "A-EVAL-l-93010", "category": "brute_force", "severity": "medium", "summary": "brute_force: 10 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:01:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T05:01:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.244.112", "bytes_out": 61917}}, {"log_id": "L1-2", "timestamp": "2026-04-25T05:01:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.15"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:05:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.215"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T20:05:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.55"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T20:05:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.156"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T20:05:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.182"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T20:05:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.15"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T20:05:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.226"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T20:05:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.237"}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93010}
{"alert": {"alert_id": "A-EVAL-l-93011", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 6 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:09:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.159"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T00:09:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T00:09:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.206"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T02:50:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T02:50:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-5", "timestamp": "2026-04-25T02:50:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "alice", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93011}
{"alert": {"alert_id": "A-EVAL-l-93012", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 4 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:04:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.208", "port": 5985}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:23:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.96.152", "bytes_out": 56279}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:23:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.154"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:23:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.211"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93012}
{"alert": {"alert_id": "A-EVAL-l-93013", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 5 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:22:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.18"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:22:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.22.98", "bytes_out": 65184}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:22:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:32:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T18:32:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\payload.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93013}
{"alert": {"alert_id": "A-EVAL-l-93014", "category": "phishing", "severity": "high", "summary": "phishing: 4 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T15:07:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T15:07:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.132"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T15:07:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.29.139", "bytes_out": 83057}}, {"log_id": "L1-3", "timestamp": "2026-04-25T15:14:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "alice"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93014}
{"alert": {"alert_id": "A-EVAL-l-93015", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:57:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.56"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T08:57:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.10"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T08:57:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:56:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "erin", "src_ip": "10.0.0.199"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93015}
{"alert": {"alert_id": "A-EVAL-l-93016", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 6 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:18:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.209.129", "bytes_out": 3996}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:18:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.166"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T02:18:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T09:35:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T09:35:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-5", "timestamp": "2026-04-25T09:35:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93016}
{"alert": {"alert_id": "A-EVAL-l-93017", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 6 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:35:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:35:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:35:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T03:53:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T03:53:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.196"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T03:53:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93017}
{"alert": {"alert_id": "A-EVAL-l-93018", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "alice"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:39:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.133"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:39:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.197"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:39:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:06:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.233.188", "interval_s": 60}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93018}
{"alert": {"alert_id": "A-EVAL-l-93019", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:13:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.48.38", "bytes_out": 44401}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:13:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T11:13:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.224"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:51:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.121", "port": 23}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93019}
{"alert": {"alert_id": "A-EVAL-l-93020", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 5 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:18:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:18:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T08:08:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.189"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T08:08:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.151.104", "bytes_out": 9343}}, {"log_id": "L1-4", "timestamp": "2026-04-25T08:08:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.93"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93020}
{"alert": {"alert_id": "A-EVAL-l-93021", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:20:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.244.215", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:37:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.34"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:37:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T13:37:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93021}
{"alert": {"alert_id": "A-EVAL-l-93022", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:03:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.68.157", "bytes_out": 14980}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:03:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.199"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:03:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T10:16:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.36", "port": 445}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93022}
{"alert": {"alert_id": "A-EVAL-l-93023", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T12:20:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.110.197", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T14:58:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T14:58:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.221"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T14:58:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.146"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93023}
{"alert": {"alert_id": "A-EVAL-l-93024", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:45:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.228"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T01:45:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.32"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T01:45:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.67"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T09:00:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.148"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93024}
{"alert": {"alert_id": "A-EVAL-l-93025", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:02:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.176.184", "bytes_out": 96038}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:02:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.102.184", "bytes_out": 93125}}, {"log_id": "L1-2", "timestamp": "2026-04-25T06:02:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.94.241", "bytes_out": 93450}}, {"log_id": "L1-3", "timestamp": "2026-04-25T12:28:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-3695", "host": "host-044"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93025}
{"alert": {"alert_id": "A-EVAL-l-93026", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 5 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:53:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T11:53:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.106.69", "bytes_out": 64910}}, {"log_id": "L1-2", "timestamp": "2026-04-25T11:53:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.217.248", "bytes_out": 96613}}, {"log_id": "L1-3", "timestamp": "2026-04-25T19:05:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T19:05:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93026}
{"alert": {"alert_id": "A-EVAL-l-93027", "category": "benign_noise", "severity": "medium", "summary": "benign_noise: 4 event(s); first=net.port_scan_hit", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T14:31:00Z", "source": "network", "event_type": "net.port_scan_hit", "fields": {"src_ip": "203.0.113.233", "port": 3389}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:59:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.104"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:59:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T19:59:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.143.63", "bytes_out": 79133}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93027}
{"alert": {"alert_id": "A-EVAL-l-93028", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T04:16:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.185.70", "bytes_out": 24711}}, {"log_id": "L1-1", "timestamp": "2026-04-25T04:16:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.157.121", "bytes_out": 83623}}, {"log_id": "L1-2", "timestamp": "2026-04-25T04:16:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.92"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T11:09:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-9536", "host": "host-025"}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93028}
{"alert": {"alert_id": "A-EVAL-l-93029", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 4 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:00:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:00:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.234"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:00:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T22:27:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "185.220.101.7", "interval_s": 90}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93029}
{"alert": {"alert_id": "A-EVAL-l-93030", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T18:13:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.122.44", "interval_s": 60}}, {"log_id": "L1-1", "timestamp": "2026-04-25T20:00:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.88"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T20:00:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:00:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}], "ground_truth": "monitor", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93030}
{"alert": {"alert_id": "A-EVAL-l-93031", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:44:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.41"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T14:37:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.45"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T14:37:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T14:37:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.153"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93031}
{"alert": {"alert_id": "A-EVAL-l-93032", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T17:30:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.56"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:30:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.30.76", "bytes_out": 65394}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:30:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.171.122", "bytes_out": 2642}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:00:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.72"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93032}
{"alert": {"alert_id": "A-EVAL-l-93033", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "dave"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:44:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.220"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T00:44:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.30"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T00:44:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.47.218", "bytes_out": 61835}}, {"log_id": "L1-3", "timestamp": "2026-04-25T16:41:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "erin", "src_ip": "10.0.0.129"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93033}
{"alert": {"alert_id": "A-EVAL-l-93034", "category": "brute_force", "severity": "medium", "summary": "brute_force: 10 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T02:47:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.150"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T02:47:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.100"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T02:47:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:56:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.197"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T18:56:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.12"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T18:56:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.226"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T18:56:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.72"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T18:56:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.95"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T18:56:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.112"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T18:56:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "service_acct", "src_ip": "203.0.113.125"}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93034}
{"alert": {"alert_id": "A-EVAL-l-93035", "category": "phishing", "severity": "high", "summary": "phishing: 4 event(s); first=email.link_clicked", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:32:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.top/secure", "user": "carol"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T17:32:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T17:32:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T17:32:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.115"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93035}
{"alert": {"alert_id": "A-EVAL-l-93036", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 4 event(s); first=edr.behavior_match", "host": "host-008", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T07:16:00Z", "source": "edr", "event_type": "edr.behavior_match", "fields": {"severity": "high", "rule_id": "EDR-4762", "host": "host-008"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:14:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.124"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:14:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.241.181", "bytes_out": 78549}}, {"log_id": "L1-3", "timestamp": "2026-04-25T09:14:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.160.123", "bytes_out": 47631}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93036}
{"alert": {"alert_id": "A-EVAL-l-93037", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T05:13:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.200.130", "bytes_out": 96861}}, {"log_id": "L1-1", "timestamp": "2026-04-25T05:13:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.70.188", "bytes_out": 87310}}, {"log_id": "L1-2", "timestamp": "2026-04-25T05:13:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.4.247", "bytes_out": 82865}}, {"log_id": "L1-3", "timestamp": "2026-04-25T06:19:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "198.51.100.42", "interval_s": 90}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93037}
{"alert": {"alert_id": "A-EVAL-l-93038", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=net.dns_query", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T18:58:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:58:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.171"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T18:58:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.47.203", "bytes_out": 14699}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:59:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "10.0.36.159", "interval_s": 90}}], "ground_truth": "monitor", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93038}
{"alert": {"alert_id": "A-EVAL-l-93039", "category": "phishing", "severity": "high", "summary": "phishing: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T10:31:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.184.117", "bytes_out": 54691}}, {"log_id": "L1-1", "timestamp": "2026-04-25T10:31:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T10:31:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.108.52", "bytes_out": 60603}}, {"log_id": "L1-3", "timestamp": "2026-04-25T11:04:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.ru/secure", "user": "carol"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93039}
{"alert": {"alert_id": "A-EVAL-l-93040", "category": "phishing", "severity": "high", "summary": "phishing: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T19:27:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.155.67", "bytes_out": 11356}}, {"log_id": "L1-1", "timestamp": "2026-04-25T19:27:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.59.151", "bytes_out": 49436}}, {"log_id": "L1-2", "timestamp": "2026-04-25T19:27:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.212"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T20:10:00Z", "source": "email", "event_type": "email.link_clicked", "fields": {"url": "https://login-update.cn/secure", "user": "bob"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93040}
{"alert": {"alert_id": "A-EVAL-l-93041", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 6 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T13:22:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T13:22:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-2", "timestamp": "2026-04-25T13:22:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T14:00:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.1.241", "bytes_out": 11167}}, {"log_id": "L1-4", "timestamp": "2026-04-25T14:00:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.122"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T14:00:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.10"}}], "ground_truth": "escalate", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93041}
{"alert": {"alert_id": "A-EVAL-l-93042", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T01:17:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.80"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:48:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T06:48:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T06:48:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.92.101", "bytes_out": 39870}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93042}
{"alert": {"alert_id": "A-EVAL-l-93043", "category": "brute_force", "severity": "medium", "summary": "brute_force: 8 event(s); first=auth.login_failure", "host": "host-001", "user": "root"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T00:46:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.169"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T00:46:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.15"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T00:46:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.250"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T00:46:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.201"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T00:46:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "root", "src_ip": "203.0.113.146"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T12:18:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.108"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T12:18:02Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.8.110", "bytes_out": 46298}}, {"log_id": "L1-7", "timestamp": "2026-04-25T12:18:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.104"}}], "ground_truth": "monitor", "triggering_log_id": "L1-5", "stage": "stage4_adversarial", "seed": 93043}
{"alert": {"alert_id": "A-EVAL-l-93044", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 4 event(s); first=net.outbound_connection", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T03:10:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.13.33", "bytes_out": 24522}}, {"log_id": "L1-1", "timestamp": "2026-04-25T03:10:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T03:10:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T05:30:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "198.51.100.42", "interval_s": 60}}], "ground_truth": "block_ip", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93044}
{"alert": {"alert_id": "A-EVAL-l-93045", "category": "malware_execution", "severity": "high", "summary": "malware_execution: 5 event(s); first=proc.lolbin_use", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T06:06:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "chrome.exe", "cmd": "-enc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T06:06:05Z", "source": "endpoint", "event_type": "file.write", "fields": {"path": "C:\\Users\\Public\\tmp.exe"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T21:33:00Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.64.88", "bytes_out": 38191}}, {"log_id": "L1-3", "timestamp": "2026-04-25T21:33:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.61"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T21:33:04Z", "source": "network", "event_type": "net.outbound_connection", "fields": {"dst_ip": "10.0.212.138", "bytes_out": 27745}}], "ground_truth": "quarantine_host", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93045}
{"alert": {"alert_id": "A-EVAL-l-93046", "category": "c2_beacon", "severity": "high", "summary": "c2_beacon: 4 event(s); first=net.beacon", "host": "host-001", "user": "user-001"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T11:55:00Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 90}}, {"log_id": "L1-1", "timestamp": "2026-04-25T18:06:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.243"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T18:06:02Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T18:06:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "internal.corp"}}], "ground_truth": "block_ip", "triggering_log_id": "L1-0", "stage": "stage4_adversarial", "seed": 93046}
{"alert": {"alert_id": "A-EVAL-l-93047", "category": "brute_force", "severity": "medium", "summary": "brute_force: 10 event(s); first=auth.login_failure", "host": "host-001", "user": "admin"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T08:01:00Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.250"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T08:01:05Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.8"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T08:01:10Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.62"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T08:01:15Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.88"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T08:01:20Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.34"}}, {"log_id": "L1-5", "timestamp": "2026-04-25T08:01:25Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.48"}}, {"log_id": "L1-6", "timestamp": "2026-04-25T08:01:30Z", "source": "identity", "event_type": "auth.login_failure", "fields": {"user": "admin", "src_ip": "203.0.113.189"}}, {"log_id": "L1-7", "timestamp": "2026-04-25T18:26:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.152"}}, {"log_id": "L1-8", "timestamp": "2026-04-25T18:26:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.31"}}, {"log_id": "L1-9", "timestamp": "2026-04-25T18:26:04Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "alice", "src_ip": "10.0.0.108"}}], "ground_truth": "monitor", "triggering_log_id": "L1-7", "stage": "stage4_adversarial", "seed": 93047}
{"alert": {"alert_id": "A-EVAL-l-93048", "category": "malware_execution", "severity": "critical", "summary": "malware_execution: 6 event(s); first=auth.login_success", "host": "host-001", "user": "carol"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T09:05:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.83"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T09:05:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "dave", "src_ip": "10.0.0.224"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T09:05:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T22:37:00Z", "source": "endpoint", "event_type": "proc.lolbin_use", "fields": {"process": "powershell.exe", "parent_process": "outlook.exe", "cmd": "-enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"}}, {"log_id": "L1-4", "timestamp": "2026-04-25T22:37:15Z", "source": "network", "event_type": "net.beacon", "fields": {"dst_ip": "203.0.113.5", "interval_s": 30}}, {"log_id": "L1-5", "timestamp": "2026-04-25T22:37:30Z", "source": "identity", "event_type": "auth.privilege_grant", "fields": {"user": "bob", "role": "admin"}}], "ground_truth": "escalate", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93048}
{"alert": {"alert_id": "A-EVAL-l-93049", "category": "benign_noise", "severity": "low", "summary": "benign_noise: 4 event(s); first=auth.login_success", "host": "host-001", "user": "bob"}, "events": [{"log_id": "L1-0", "timestamp": "2026-04-25T22:05:00Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "bob", "src_ip": "10.0.0.185"}}, {"log_id": "L1-1", "timestamp": "2026-04-25T22:53:00Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "google.com"}}, {"log_id": "L1-2", "timestamp": "2026-04-25T22:53:02Z", "source": "identity", "event_type": "auth.login_success", "fields": {"user": "carol", "src_ip": "10.0.0.6"}}, {"log_id": "L1-3", "timestamp": "2026-04-25T22:53:04Z", "source": "network", "event_type": "net.dns_query", "fields": {"domain": "github.com"}}], "ground_truth": "dismiss", "triggering_log_id": "L1-3", "stage": "stage4_adversarial", "seed": 93049}