Spaces:
Sleeping
Sleeping
| { | |
| "easy": [ | |
| { | |
| "alert": { | |
| "alert_id": "EASY-001", | |
| "timestamp": "2026-03-27T10:15:00Z", | |
| "source_ip": "192.168.1.45", | |
| "destination_ip": "10.0.0.1", | |
| "event_type": "FAILED_LOGIN", | |
| "raw_log": "Failed SSH password attempts for root from 192.168.1.45" | |
| }, | |
| "ground_truth": { | |
| "severity": "medium", | |
| "recommended_action": "investigate" | |
| } | |
| }, | |
| { | |
| "alert": { | |
| "alert_id": "EASY-002", | |
| "timestamp": "2026-03-27T03:00:00Z", | |
| "source_ip": "192.168.1.50", | |
| "destination_ip": "45.33.32.156", | |
| "event_type": "OUTBOUND_C2", | |
| "raw_log": "Repeated beaconing every 60 seconds to known C2 endpoint" | |
| }, | |
| "ground_truth": { | |
| "severity": "critical", | |
| "recommended_action": "escalate" | |
| } | |
| }, | |
| { | |
| "alert": { | |
| "alert_id": "EASY-003", | |
| "timestamp": "2026-03-27T09:00:00Z", | |
| "source_ip": "192.168.2.20", | |
| "destination_ip": "192.168.2.1", | |
| "event_type": "ARP_REQUEST", | |
| "raw_log": "Normal ARP request in internal subnet" | |
| }, | |
| "ground_truth": { | |
| "severity": "benign", | |
| "recommended_action": "ignore" | |
| } | |
| } | |
| ], | |
| "medium": [ | |
| { | |
| "alert": { | |
| "alerts": [ | |
| { | |
| "alert_id": "MED-A", | |
| "event_type": "FAILED_LOGIN", | |
| "source_ip": "10.0.0.5", | |
| "raw_log": "3 failed SSH attempts in 10 seconds" | |
| }, | |
| { | |
| "alert_id": "MED-B", | |
| "event_type": "DNS_LOOKUP", | |
| "source_ip": "10.0.0.10", | |
| "raw_log": "Normal DNS query to github.com" | |
| }, | |
| { | |
| "alert_id": "MED-C", | |
| "event_type": "RANSOMWARE_INDICATOR", | |
| "source_ip": "10.0.0.7", | |
| "raw_log": "Mass file encryption with suspicious extension across host" | |
| }, | |
| { | |
| "alert_id": "MED-D", | |
| "event_type": "PRIVILEGE_ESCALATION", | |
| "source_ip": "10.0.0.3", | |
| "raw_log": "Non-admin user attempted sudo elevation" | |
| }, | |
| { | |
| "alert_id": "MED-E", | |
| "event_type": "OUTBOUND_DATA", | |
| "source_ip": "10.0.0.8", | |
| "raw_log": "Large outbound transfer to unknown external IP" | |
| } | |
| ] | |
| }, | |
| "ground_truth": { | |
| "ranking": ["MED-C", "MED-E", "MED-D", "MED-A", "MED-B"] | |
| } | |
| } | |
| ], | |
| "hard": [ | |
| { | |
| "alert": { | |
| "events": [ | |
| { | |
| "alert_id": "H-01", | |
| "timestamp": "T+0min", | |
| "event_type": "NMAP_SCAN", | |
| "source_ip": "185.220.0.1", | |
| "raw_log": "Stealth SYN scan on subnet" | |
| }, | |
| { | |
| "alert_id": "H-02", | |
| "timestamp": "T+1min", | |
| "event_type": "DNS_LOOKUP", | |
| "source_ip": "192.168.1.22", | |
| "raw_log": "Normal DNS query to updates endpoint" | |
| }, | |
| { | |
| "alert_id": "H-03", | |
| "timestamp": "T+2min", | |
| "event_type": "EXPLOIT_ATTEMPT", | |
| "source_ip": "185.220.0.1", | |
| "raw_log": "Suspicious exploit payload detected in HTTP header" | |
| }, | |
| { | |
| "alert_id": "H-04", | |
| "timestamp": "T+2min", | |
| "event_type": "ARP_REQUEST", | |
| "source_ip": "192.168.1.9", | |
| "raw_log": "Normal ARP request from printer" | |
| }, | |
| { | |
| "alert_id": "H-05", | |
| "timestamp": "T+3min", | |
| "event_type": "SHELL_SPAWN", | |
| "source_ip": "192.168.1.15", | |
| "raw_log": "Reverse shell process spawned on server host" | |
| }, | |
| { | |
| "alert_id": "H-06", | |
| "timestamp": "T+3min", | |
| "event_type": "USER_LOGIN", | |
| "source_ip": "192.168.1.20", | |
| "raw_log": "Normal user login event" | |
| }, | |
| { | |
| "alert_id": "H-07", | |
| "timestamp": "T+5min", | |
| "event_type": "LATERAL_MOVEMENT", | |
| "source_ip": "192.168.1.15", | |
| "raw_log": "Credential reuse and remote execution to peer host" | |
| }, | |
| { | |
| "alert_id": "H-08", | |
| "timestamp": "T+5min", | |
| "event_type": "BANDWIDTH_SPIKE", | |
| "source_ip": "192.168.1.30", | |
| "raw_log": "Expected backup traffic to NAS" | |
| }, | |
| { | |
| "alert_id": "H-09", | |
| "timestamp": "T+7min", | |
| "event_type": "C2_BEACON", | |
| "source_ip": "192.168.1.15", | |
| "raw_log": "Beaconing pattern every 30 seconds to external endpoint" | |
| }, | |
| { | |
| "alert_id": "H-10", | |
| "timestamp": "T+7min", | |
| "event_type": "DNS_LOOKUP", | |
| "source_ip": "192.168.1.44", | |
| "raw_log": "Normal query to collaboration API" | |
| }, | |
| { | |
| "alert_id": "H-11", | |
| "timestamp": "T+9min", | |
| "event_type": "DATA_EXFIL", | |
| "source_ip": "192.168.1.15", | |
| "raw_log": "Large encrypted transfer to unknown external host" | |
| }, | |
| { | |
| "alert_id": "H-12", | |
| "timestamp": "T+9min", | |
| "event_type": "PRINT_JOB", | |
| "source_ip": "192.168.1.53", | |
| "raw_log": "Normal print queue event" | |
| }, | |
| { | |
| "alert_id": "H-13", | |
| "timestamp": "T+10min", | |
| "event_type": "FAILED_LOGIN", | |
| "source_ip": "192.168.1.12", | |
| "raw_log": "Two failed logins likely typo pattern" | |
| }, | |
| { | |
| "alert_id": "H-14", | |
| "timestamp": "T+10min", | |
| "event_type": "DNS_QUERY", | |
| "source_ip": "192.168.1.17", | |
| "raw_log": "Normal DNS request" | |
| }, | |
| { | |
| "alert_id": "H-15", | |
| "timestamp": "T+10min", | |
| "event_type": "FIREWALL_RULE_CHANGE", | |
| "source_ip": "192.168.1.1", | |
| "raw_log": "Firewall rule removed by system account" | |
| } | |
| ] | |
| }, | |
| "ground_truth": { | |
| "kill_chain": ["H-01", "H-03", "H-05", "H-07", "H-11"] | |
| } | |
| } | |
| ] | |
| } | |