soc-triage-env / server /data /alerts.json
vasanthfeb13's picture
Upload folder using huggingface_hub
ae61bb9 verified
Raw
History Blame Contribute Delete
6.19 kB
{
"easy": [
{
"alert": {
"alert_id": "EASY-001",
"timestamp": "2026-03-27T10:15:00Z",
"source_ip": "192.168.1.45",
"destination_ip": "10.0.0.1",
"event_type": "FAILED_LOGIN",
"raw_log": "Failed SSH password attempts for root from 192.168.1.45"
},
"ground_truth": {
"severity": "medium",
"recommended_action": "investigate"
}
},
{
"alert": {
"alert_id": "EASY-002",
"timestamp": "2026-03-27T03:00:00Z",
"source_ip": "192.168.1.50",
"destination_ip": "45.33.32.156",
"event_type": "OUTBOUND_C2",
"raw_log": "Repeated beaconing every 60 seconds to known C2 endpoint"
},
"ground_truth": {
"severity": "critical",
"recommended_action": "escalate"
}
},
{
"alert": {
"alert_id": "EASY-003",
"timestamp": "2026-03-27T09:00:00Z",
"source_ip": "192.168.2.20",
"destination_ip": "192.168.2.1",
"event_type": "ARP_REQUEST",
"raw_log": "Normal ARP request in internal subnet"
},
"ground_truth": {
"severity": "benign",
"recommended_action": "ignore"
}
}
],
"medium": [
{
"alert": {
"alerts": [
{
"alert_id": "MED-A",
"event_type": "FAILED_LOGIN",
"source_ip": "10.0.0.5",
"raw_log": "3 failed SSH attempts in 10 seconds"
},
{
"alert_id": "MED-B",
"event_type": "DNS_LOOKUP",
"source_ip": "10.0.0.10",
"raw_log": "Normal DNS query to github.com"
},
{
"alert_id": "MED-C",
"event_type": "RANSOMWARE_INDICATOR",
"source_ip": "10.0.0.7",
"raw_log": "Mass file encryption with suspicious extension across host"
},
{
"alert_id": "MED-D",
"event_type": "PRIVILEGE_ESCALATION",
"source_ip": "10.0.0.3",
"raw_log": "Non-admin user attempted sudo elevation"
},
{
"alert_id": "MED-E",
"event_type": "OUTBOUND_DATA",
"source_ip": "10.0.0.8",
"raw_log": "Large outbound transfer to unknown external IP"
}
]
},
"ground_truth": {
"ranking": ["MED-C", "MED-E", "MED-D", "MED-A", "MED-B"]
}
}
],
"hard": [
{
"alert": {
"events": [
{
"alert_id": "H-01",
"timestamp": "T+0min",
"event_type": "NMAP_SCAN",
"source_ip": "185.220.0.1",
"raw_log": "Stealth SYN scan on subnet"
},
{
"alert_id": "H-02",
"timestamp": "T+1min",
"event_type": "DNS_LOOKUP",
"source_ip": "192.168.1.22",
"raw_log": "Normal DNS query to updates endpoint"
},
{
"alert_id": "H-03",
"timestamp": "T+2min",
"event_type": "EXPLOIT_ATTEMPT",
"source_ip": "185.220.0.1",
"raw_log": "Suspicious exploit payload detected in HTTP header"
},
{
"alert_id": "H-04",
"timestamp": "T+2min",
"event_type": "ARP_REQUEST",
"source_ip": "192.168.1.9",
"raw_log": "Normal ARP request from printer"
},
{
"alert_id": "H-05",
"timestamp": "T+3min",
"event_type": "SHELL_SPAWN",
"source_ip": "192.168.1.15",
"raw_log": "Reverse shell process spawned on server host"
},
{
"alert_id": "H-06",
"timestamp": "T+3min",
"event_type": "USER_LOGIN",
"source_ip": "192.168.1.20",
"raw_log": "Normal user login event"
},
{
"alert_id": "H-07",
"timestamp": "T+5min",
"event_type": "LATERAL_MOVEMENT",
"source_ip": "192.168.1.15",
"raw_log": "Credential reuse and remote execution to peer host"
},
{
"alert_id": "H-08",
"timestamp": "T+5min",
"event_type": "BANDWIDTH_SPIKE",
"source_ip": "192.168.1.30",
"raw_log": "Expected backup traffic to NAS"
},
{
"alert_id": "H-09",
"timestamp": "T+7min",
"event_type": "C2_BEACON",
"source_ip": "192.168.1.15",
"raw_log": "Beaconing pattern every 30 seconds to external endpoint"
},
{
"alert_id": "H-10",
"timestamp": "T+7min",
"event_type": "DNS_LOOKUP",
"source_ip": "192.168.1.44",
"raw_log": "Normal query to collaboration API"
},
{
"alert_id": "H-11",
"timestamp": "T+9min",
"event_type": "DATA_EXFIL",
"source_ip": "192.168.1.15",
"raw_log": "Large encrypted transfer to unknown external host"
},
{
"alert_id": "H-12",
"timestamp": "T+9min",
"event_type": "PRINT_JOB",
"source_ip": "192.168.1.53",
"raw_log": "Normal print queue event"
},
{
"alert_id": "H-13",
"timestamp": "T+10min",
"event_type": "FAILED_LOGIN",
"source_ip": "192.168.1.12",
"raw_log": "Two failed logins likely typo pattern"
},
{
"alert_id": "H-14",
"timestamp": "T+10min",
"event_type": "DNS_QUERY",
"source_ip": "192.168.1.17",
"raw_log": "Normal DNS request"
},
{
"alert_id": "H-15",
"timestamp": "T+10min",
"event_type": "FIREWALL_RULE_CHANGE",
"source_ip": "192.168.1.1",
"raw_log": "Firewall rule removed by system account"
}
]
},
"ground_truth": {
"kill_chain": ["H-01", "H-03", "H-05", "H-07", "H-11"]
}
}
]
}