>// SANJAY
DIAGNOSTICS: LAB_TOPOLOGY.XML

CYBER LAB & THREAT RANGE

ACTIVE NETWORK TOPOLOGY MAP CLICK NODES TO AUDIT TELEMETRY
KALI-01 10.0.0.99 PF-GW01 10.0.0.1 WIN-DC01 10.0.0.100 LNX-SRV01 10.0.0.110 SIEM-LOG 10.0.0.250

NODE INTEL REPORT

Select any network node on the topology grid map to query active syslog payloads, host classifications, and detection rule triggers.


Waiting for node telemetry link selection...

LOG INGESTION & PIPELINE STAGES

1. Log Generation (Endpoint Audits)

Audit events generated via Windows Sysmon (Event ID 1: Process Creation, ID 11: File Creation) and Linux Auditd/Syslogs.

2. Ingest Forwarding (Splunk UF / Logstash)

Lightweight agents forward compressed events securely to central logging cluster indices over SSL port 9997.

3. Ingest Parsing & Normalization

Indices parse RAW payloads, normalise headers into consistent mappings, and extract key fields (IP, User, Hashes).

4. Threat Correlation Rules (Sigma & SPL alerts)

Alerting engines monitor index activities. Correlated patterns (e.g. Brute force followed by admin login) trigger Slack/Jira notifications.

MITRE ATT&CK ALIGNED PROTECTION MATRIX

Tactical detection rules implemented in Sanjay's laboratory to identify known threat actor techniques.

Initial Access Execution Persistence Credential Access Lateral Movement Command & Control
T1190
Exploit Public App
T1059
Command Shells
T1543
Create System Service
T1110
Brute Force
T1021
Remote Services
T1071
Application Protocol
T1566
Phishing Ingress
T1204
User Execution
T1098
Account Manipulation
T1003
LSASS Dumping
T1550
Use Alternate Token
T1573
Encrypted Channel