Create human_like_security_reasoning.csv
Browse files
human_like_security_reasoning.csv
ADDED
|
@@ -0,0 +1,51 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
scenario_id,domain,situation,context,human_thought_process,possible_mistake,correct_decision,risk_level,explanation
|
| 2 |
+
1,cybersecurity,Multiple failed login attempts,Corporate VPN,"Could be user error or brute force. Need to check IP pattern and timing.","Disable all VPN access","Block suspicious IP and alert SOC",medium,"Targeted blocking avoids disruption"
|
| 3 |
+
2,system,Server disk usage suddenly full,Production Linux server,"Logs or backups might have grown unexpectedly.","Delete random files","Analyze disk usage and clean safely",high,"Blind deletion risks data loss"
|
| 4 |
+
3,network,High latency reported,Office LAN,"Is this congestion, faulty switch, or external issue?","Restart all devices","Trace route and isolate bottleneck",medium,"Root cause analysis saves time"
|
| 5 |
+
4,cybersecurity,Phishing email reported,Employee inbox,"Check sender domain and email headers.","Ignore single report","Analyze and warn all users",high,"Early warning prevents spread"
|
| 6 |
+
5,system,CPU spike at night,Cloud VM,"Scheduled job or malicious process?","Reboot VM","Check cron jobs and running processes",high,"Reboot hides root cause"
|
| 7 |
+
6,network,Packet loss detected,ISP connection,"Could be ISP issue or local cable fault.","Change router immediately","Test locally and contact ISP",medium,"Avoid unnecessary replacement"
|
| 8 |
+
7,cybersecurity,Unknown USB plugged in,Office PC,"USB could contain malware.","Open files to check","Isolate system and scan USB",high,"USB attacks are common"
|
| 9 |
+
8,system,Application crashes repeatedly,Production app,"Check logs before blaming code.","Redeploy blindly","Inspect error logs",medium,"Logs reveal exact issue"
|
| 10 |
+
9,cybersecurity,Password reuse detected,User audit,"User convenience vs security risk.","Ignore minor reuse","Force password reset",medium,"Reuse increases breach risk"
|
| 11 |
+
10,network,WiFi speed drops,Campus WiFi,"Too many users or interference?","Increase bandwidth","Change channel and optimize APs",low,"Optimization is cheaper"
|
| 12 |
+
11,cybersecurity,Admin login from new country,Cloud console,"Could be travel or compromise.","Disable admin","Verify activity and MFA logs",high,"Context matters"
|
| 13 |
+
12,system,Memory leak suspected,Backend service,"Gradual memory growth indicates leak.","Restart service","Profile memory usage",high,"Restart is temporary fix"
|
| 14 |
+
13,network,DNS resolution slow,Internal DNS,"Cache or upstream issue?","Switch public DNS","Fix internal DNS config",medium,"Internal reliability matters"
|
| 15 |
+
14,cybersecurity,Ransomware note found,User system,"Immediate isolation needed.","Pay ransom","Disconnect system and start IR",critical,"Containment is priority"
|
| 16 |
+
15,system,Backup job failed,Database server,"Storage or permission issue?","Ignore single failure","Investigate immediately",high,"Backups are critical"
|
| 17 |
+
16,network,Firewall blocking legit traffic,Enterprise firewall,"Rule misconfiguration likely.","Disable firewall","Adjust specific rule",high,"Firewall protects network"
|
| 18 |
+
17,cybersecurity,Suspicious PowerShell script,System logs,"PowerShell often abused.","Delete script","Analyze source and intent",high,"Forensics needed"
|
| 19 |
+
18,system,Time drift observed,Distributed system,"Clock mismatch affects logs.","Ignore seconds drift","Sync NTP across systems",medium,"Time consistency matters"
|
| 20 |
+
19,network,VPN users disconnected,Remote workforce,"Server overload or ISP issue?","Restart VPN server","Check load and logs",medium,"Restart may worsen issue"
|
| 21 |
+
20,cybersecurity,API key exposed in repo,Public GitHub,"Key likely compromised.","Do nothing","Revoke and rotate key",critical,"Keys must be rotated"
|
| 22 |
+
21,system,Service dependency missing,Microservices,"Config mismatch after deploy.","Rollback immediately","Fix dependency config",medium,"Rollback not always needed"
|
| 23 |
+
22,network,ARP spoofing suspected,LAN network,"Unusual MAC-IP mapping.","Ignore alerts","Enable ARP inspection",high,"ARP attacks enable MITM"
|
| 24 |
+
23,cybersecurity,User clicks suspicious link,Office laptop,"Endpoint may be compromised.","Scold user","Scan system and educate",medium,"Education reduces future risk"
|
| 25 |
+
24,system,High I/O wait,Database server,"Disk bottleneck or query issue.","Add more RAM","Optimize queries or storage",high,"Correct resource matters"
|
| 26 |
+
25,network,Load balancer uneven traffic,Web servers,"Health checks misconfigured.","Restart LB","Fix health check rules",medium,"Restart hides config issue"
|
| 27 |
+
26,cybersecurity,Malware detected by AV,Endpoint,"False positive or real?","Ignore AV","Quarantine and analyze",high,"Ignoring AV is dangerous"
|
| 28 |
+
27,system,Config file overwritten,Server reboot,"Automation tool issue.","Manually edit","Fix automation script",medium,"Automation errors repeat"
|
| 29 |
+
28,network,Port scan detected,Firewall logs,"Recon activity likely.","Ignore low volume","Block source and monitor",medium,"Early blocking helps"
|
| 30 |
+
29,cybersecurity,Privilege escalation attempt,Server logs,"Serious breach indicator.","Restart server","Investigate immediately",critical,"Restart destroys evidence"
|
| 31 |
+
30,system,Service starts slowly,Application server,"Cold start or dependency delay.","Increase CPU","Optimize startup sequence",low,"Performance tuning needed"
|
| 32 |
+
31,network,MTU mismatch issue,VPN tunnel,"Fragmentation causing drops.","Ignore small drops","Align MTU settings",medium,"MTU mismatch common issue"
|
| 33 |
+
32,cybersecurity,Social engineering call,Helpdesk,"Caller urgency suspicious.","Reset password","Verify identity strictly",high,"Social attacks bypass tech"
|
| 34 |
+
33,system,Database connection timeout,App backend,"Pool exhaustion likely.","Restart DB","Increase pool and fix leaks",high,"Restart is temporary"
|
| 35 |
+
34,network,Duplicate IP detected,Office LAN,"Static IP conflict.","Restart device","Resolve IP assignment",low,"Conflict causes instability"
|
| 36 |
+
35,cybersecurity,Unusual outbound traffic,Server firewall,"Possible data exfiltration.","Ignore off-hours","Analyze destination and volume",critical,"Data loss risk"
|
| 37 |
+
36,system,Log files missing,Server audit,"Rotation or tampering?","Assume rotation","Check audit policies",high,"Logs are evidence"
|
| 38 |
+
37,network,Switch port flapping,Data center,"Cable or NIC fault.","Ignore alerts","Replace cable/NIC",medium,"Hardware issues degrade network"
|
| 39 |
+
38,cybersecurity,MFA disabled by user,Account settings,"Security weakened.","Allow for convenience","Force MFA re-enable",high,"MFA is critical"
|
| 40 |
+
39,system,Kernel panic observed,Linux server,"Hardware or driver issue.","Reboot repeatedly","Analyze crash dump",critical,"Repeated panic worsens damage"
|
| 41 |
+
40,network,BGP route change detected,ISP network,"Possible hijack.","Ignore brief change","Verify routing integrity",critical,"Routing attacks are severe"
|
| 42 |
+
41,cybersecurity,Unauthorized software installed,Employee PC,"Policy violation.","Uninstall silently","Investigate intent",medium,"Could be insider threat"
|
| 43 |
+
42,system,Service health check failing,Monitoring alert,"False alert or real issue?","Mute alert","Verify service status",medium,"Alerts guide action"
|
| 44 |
+
43,network,Wireless rogue AP detected,Office,"Possible evil twin.","Ignore unknown AP","Locate and remove AP",high,"Rogue AP steals data"
|
| 45 |
+
44,cybersecurity,Email attachment opened,User system,"Malware risk.","Wait for symptoms","Scan immediately",high,"Early detection helps"
|
| 46 |
+
45,system,Environment variables missing,App deploy,"Config error.","Hardcode values","Fix environment config",medium,"Hardcoding is unsafe"
|
| 47 |
+
46,network,Excessive broadcast traffic,LAN,"Loop or misconfig.","Restart switches","Find loop and fix STP",high,"Broadcast storms are dangerous"
|
| 48 |
+
47,cybersecurity,Session hijack suspected,Web app,"Token leakage?","Ignore rare case","Invalidate sessions",high,"Sessions must be protected"
|
| 49 |
+
48,system,Cache inconsistency,Distributed cache,"Stale data served.","Disable cache","Fix invalidation logic",medium,"Cache improves performance"
|
| 50 |
+
49,network,Slow file transfers,SFTP server,"Encryption overhead or disk?","Disable encryption","Optimize disk and cipher",medium,"Security should remain"
|
| 51 |
+
50,cybersecurity,Unknown scheduled task,System audit,"Persistence technique.","Ignore if idle","Investigate task origin",high,"Persistence enables long attacks"
|