Assign yourself to an alert, move it to "In Progress", and start the triage!
How this works:
Click any alert row to expand its details (host, process, file paths, comments, etc).
Use the pencil icon to assign yourself, and the status/verdict badges to update them as you triage — just like a real SOC ticket.
Scroll down to the Triage Quiz and answer each question based on what you found. Some are dropdowns, some are short text answers.
Answers are graded instantly and privately — wrong guesses don't cost you anything, so try again if needed.
Once all questions are correct, click Reveal Flag and submit that flag where instructed.
Time
Name
Severity
Status
Verdict
Assignee
Actions
Mar 21st 2025 at 13:58
Double-Extension File Creation
High
Awaiting action
None
None
DescriptionThis rule detects a creation of a double-extension file like '*.pdf.exe' or '*.gif.lnk', often used by hackers in phishing attacks to trick users into opening the malicious executable.
DescriptionDetects 5 or more gigabytes of data sent from a single device to a single destination within a day, which may indicate data exfiltration to untrusted location.
Destination*.zoom.us
Source IP192.168.45.66
NetworkUK04/MEETINGROOM
Sent Data5.8 GB
Received Data5.2 GB
Mar 21st 2025 at 13:02
Download from GitHub Repository
Low
Awaiting action
None
None
DescriptionDetects any download from GitHub. While GitHub is useful, it can be used to download malicious scripts or exploits that must not be downloaded by the users.
Accessed URLhttps://github.com/facebook/react
Source UserG.Chandler
Source HostLPT-IT-063
NetworkVPN/DEVELOPERS
Mar 21st 2025 at 12:40
Unusual VPN Login Location
Medium
Closed
False Positive
N.Stephanie (L1)
DescriptionThe user accessed corporate VPN from a first-seen location. This login may indicate that the user's account is compromised and threat actors are breaking in.
Source IP45.8.112.7
UserM.Clark
Expected CountryUnited States
Comment
A.Andy, corporate CFO, confirmed that she is currently on vacation in Japan but had to access VPN from her laptop exactly at that time to resolve an urgent issue. Not a threat.
Mar 21st 2025 at 11:53
Bruteforce Attack from External
Medium
Closed
True Positive
A.Gifty (L2)
DescriptionThe rule detects 50 or more failed logins on a single system from an external IP during a short period of time. This alert may indicate that a system is Internet-exposed and is actively bruteforced by a threat actor.
Source IP45.148.10.50
Users TargetedAdministrator, admin, adm
Bruteforce MethodRDP (1620 attempts)
Comment
It was concluded that WIN-ITDEV is a temporary VM created by IT for development puposes, that was not properly secured and exposed RDP port to the Internet, now being bruteforced by a malicious botnet. Although admin password was not guessed, the alert was escalated to L2 to contact IT team.
Triage Quiz
Answer based on what you found above. Every answer is graded on the server — correct answers are never sent to your browser.