SIEM Operations • Room 1

Telemetry & Tools

A SIEM is only as good as its data sources. As an analyst, you must know what tool provides what logs.

Firewalls provide perimeter traffic blocks. EDR (Endpoint Detection and Response) provides process execution and file changes. Proxies log outbound web requests.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

Process launched via powershell.exe

Inbound traffic blocked on port 22

User clicked a malicious URL

Invalid password attempts on AD

EDR Logs

Firewall Logs

Web Proxy Logs

Domain Controller Logs