SIEM console

Defense center

A simulated analyst workspace for defensive commands, threat hunting labs, triage queues, and evidence review. Data is generated from the database and no external systems are queried.

Open labs

critical

Simulated alert queue

high

Simulated alert queue

medium

Simulated alert queue

low

Simulated alert queue

Live event stream

Time	Host	Severity	Source	Event
22:14:47	vpn-edge	high	Kubernetes	Extract pod security contexts.
22:07:47	win-hr-014	low	Kubernetes	List service account token secrets.
22:00:47	web-01	medium	Kubernetes	Inspect pod security and runtime details.
21:53:47	vpn-edge	medium	Kubernetes	Review cluster events by time.
21:46:47	web-01	high	Kubernetes	List validating admission webhooks.
21:39:47	web-01	high	Kubernetes	Review pod resource usage for anomalies.
21:32:47	web-01	low	Trivy	Scan a container image for vulnerabilities.
21:25:47	linux-jump	low	Trivy	Scan filesystem for vulnerabilities and misconfiguration.

Investigation query

index=security earliest=-24h
| stats count by host, source, severity
| where severity IN ("high","critical")
| sort -count

The query language panel is illustrative. Use the command cards below to open real database-backed references and simulated labs.

Defensive labs

All labs

Lab Intermediate

Nuclei Template Signal Triage

Simulate template-driven web vulnerability triage.

Lab Advanced

Active Directory Attack Path Review

Interpret a simulated AD graph finding.

Lab Intermediate

AWS S3 Exposure Audit

Simulate cloud storage exposure review.

Lab Intermediate

AWS IAM Privilege Risk With CloudSplaining

Review simulated IAM excessive privilege output.

Lab Intermediate

Prowler Cloud Posture Triage

Practice interpreting cloud posture findings.

Lab Advanced

ScoutSuite Multi-Cloud Review

Simulate multi-cloud audit output review.

Lab Intermediate

Kubernetes RBAC Review

Review simulated Kubernetes access control.

Lab Beginner

Container Image Vulnerability Scan

Interpret simulated container scan results.

Lab Intermediate

Threat Hunting Encoded PowerShell

Run a simulated SOC hunt for encoded PowerShell.

Lab Intermediate

Wazuh File Integrity Investigation

Triage simulated file integrity monitoring alerts.

SIEM Intermediate

Open SOC Analyst Console

Free-play simulated SOC workspace with live-style alerts, SIEM queries, triage, hunting, and case practice.

Lab Intermediate

Reading Tcpdump Output

Practice requesting a short packet capture and reading fake output.

Lab Intermediate

Basic Splunk Search Query

Run a safe simulated search for failed Windows logons.

Lab Intermediate

Firewall Rule Interpretation

Inspect a predefined firewall rule listing.

Defensive command playbook

Filter library

Kubernetes

Extract pod security contexts.

kubectl get pods -A -o jsonpath="{..securityContext}"

Kubernetes

List service account token secrets.

kubectl get secrets -A --field-selector type=kubernetes.io/service-account-token

Kubernetes

Inspect pod security and runtime details.

kubectl describe pod web-frontend -n production

Kubernetes

Review cluster events by time.

kubectl get events -A --sort-by=.metadata.creationTimestamp

Kubernetes

List validating admission webhooks.

kubectl get admissionregistration.k8s.io/validatingwebhookconfigurations

Kubernetes

Review pod resource usage for anomalies.

kubectl top pods -A

Trivy

Scan a container image for vulnerabilities.

trivy image nginx:1.23

Trivy

Scan filesystem for vulnerabilities and misconfiguration.

trivy fs --security-checks vuln,config .