Authentication Monitoring
Tracks login activity, failed authentication patterns, and credential misuse indicators to support early triage.
Detection Strategy
Built around analyst workflow, not just tool output
The lab is structured to generate observable activity across endpoints so alerts can be reviewed, validated, and explained with evidence.
Process Visibility
Focuses on command execution, suspicious binaries, and process behavior that supports incident reconstruction.
Cross-System Correlation
Uses evidence from both Windows and Linux systems to assess whether behavior is isolated or part of a broader event chain.
Planned Scenarios
Detection use cases prepared for employer demonstration
| Scenario | Source | Detection Goal | Analyst Action |
|---|---|---|---|
| Failed logon attempts | Windows endpoint | Identify authentication abuse | Validate source, frequency, and user impact |
| Suspicious command execution | Windows / Linux | Track potentially risky commands | Review command context and correlate user activity |
| Internal reconnaissance | Kali simulation | Observe scan behavior | Tie source IP to detection timeline |
| Server access anomalies | Ubuntu server | Spot unusual service interaction | Assess normal vs suspicious behavior |
Evidence Model
- Event source
- Timestamp validation
- User / host context
- Source IP correlation
- Severity assessment
Analyst Readiness
Each detection is designed to answer the questions an employer cares about.
What happened? Where did it start? Which system was affected? Is it benign, suspicious, or malicious? What evidence supports that conclusion?