04step · module overview
You finished Lab 09. Here's what stuck.
A short recap of the moves you used in the SOC pod — keep them close. Blue team is detective work, and the next lab flips your role: in Lab 10 you become the adversary, probing an LLM that's been told never to talk.
Module complete · soc-logs
You read the alert, joined four log sources on a session ID, and reconstructed a four-stage intrusion timeline. Blue team is detective work — every incident is already written down in log lines that exist; your job is to know which four to read, and in what order.
XP earned+275xp
DifficultyMedium
Time spent~45min
TrackInfo
≡
Recap · the five beats
keep close
- 01 The alert is the trailhead. A SIEM correlation rule fires — one yellow square on a dashboard, a ticket number, a time window. That is the start of the story, not the end. Pull the alert metadata, open a ticket, then walk the path.
-
02
Failed-then-successful logins are the bell.
Start at
auth.log. 847 failures from one IP followed by one acceptance is the textbook brute-force shape. Pin two evidence fields:brute_userandbrute_src. They're the first two pieces of the report. -
03
Pivot to what they did after the door opened.
The successful login gave you a session ID. Join it against
access.logand you see the post-compromise path: admin dashboard, user list, sensitive file read. Pin the third evidence field:read_path. -
04
Outbound bytes to nowhere should always ring the alarm.
Check
firewall.logfor large transfers to non-RFC1918 destinations near the incident window. 11MB to a TOR exit, matching the export file size — that's the fourth evidence field:exfil_dst. -
05
Four log lines, one story — submit the flag.
User · source IP · file path · exfil destination, joined with underscores:
TrinetraCTF{...}. The flag IS the incident report. If you can assemble it, you can write the post-mortem and brief the IR lead.