Objectives
1. Search firewall logs for denied connections from suspicious IP
Show Hint
Search for IP 185.220.101.47 in the Firewall Logs tab. Look for DENY entries.
2. Find Windows Event Log entries for failed logon attempts (Event ID 4625)
Show Hint
Search Windows Event Logs for Event ID 4625. Note the source IP and timestamp.
3. Identify successful logon after brute force (Event ID 4624)
Show Hint
After multiple 4625 events, look for Event ID 4624 from the same source IP.
4. Trace attacker activity in web server logs
Show Hint
Search Web Server Logs for the suspicious IP. Look for SQL injection patterns and directory traversal.
5. Correlate timestamps across all sources to build timeline
Show Hint
Switch to SIEM Dashboard and use "correlate timeline" command to organize events chronologically.
6. Use SIEM dashboard to visualize the attack chain
Show Hint
Run "visualize attack" in the SIEM Dashboard to generate attack flow visualization.
7. Identify the full attack path
Show Hint
The attack progression: Port scan → SSH brute force → Successful auth → Web exploitation → Lateral movement.
8. Generate correlated incident report
Show Hint
Use "generate report" in SIEM Dashboard to compile all findings into incident summary.