Scenario and Instructions

Instructions:

• Compatibility: VirtualBox

• Uncompress the lab (pass: cyberdefenders.org)

• Zip SHA1: 7d2e0b18bc11e9987431369b180577886d956b0a

• Zip size: 20 GB

• Make sure you have a host-only subnet within the following IP range 192.168.20.0/24.

• Assign the proper network adapter (192.168.20.0/24) to the VM before starting it.

• Wait for some minutes after the import completes then visit: https://192.168.20.21/.

• Challenge credentials: QRadar Dashboard: admin:Admin@123 - SSH: root:cyberdefenders

In case you face a license issue, please go to > License Pool Management. Edit and set eps > 0 and edit the FPM and set it to 0. This will ensure you will not have a license problem.

Hardware Requirements: 8GB of memory and 65GB of disk space.

Scenario:

A financial company was compromised, and they are looking for a security analyst to help them investigate the incident. The company suspects that an insider helped the attacker get into the network, but they have no evidence.

The initial analysis performed by the company's team showed that many systems were compromised. Also, alerts indicate the use of well-known malicious tools in the network. As a SOC analyst, you are assigned to investigate the incident using QRadar SIEM and reconstruct the events carried out by the attacker.

Dataset:

• Sysmon - swift on security configuration

• PowerShell logging

• Windows Eventlog

• Suricata IDS

• Zeek logs (conn, HTTP)

Note for The Setup

💡 Before starting the investigation this video explains how to run the machine and prepare the environment for the analysis. 📺 A full setup and walkthrough guide is available here: https://www.youtube.com/watch?v=4uM4JEhbEjI

Accessing QRadar Console

After starting the QRadar virtual machine, begin the investigation by accessing the QRadar web console through the following URL:

🔗 https://192.168.20.21/

Now, Let’s Start