Lab/Threat-hunting simulator

Threat-hunting simulator

LiveUpdated 2026-04-26

Four frameworks, applied to one brute-force use case across three log sources. Walk the steps yourself, or read the background first.

Mission objective

Demonstrate that one detection use case spans three log sources when you map it through the framework stack — and that surgical data ingestion (only what each sub-technique needs) is what justifies the Splunk volume.

Threats

Synthetic telemetry too clean reads as a tutorial; too noisy reads as broken.
The walkthrough turning into a vendor-tool demo instead of a methodology demo.
MaGMa metrics drifting from MITRE's actual semantics over time.

Go / No-go criteria

All three scenarios reach disposition with a working detection-as-code artifact.
The cross-source coverage point lands without explanation needed.
ATT&CK Navigator iframe loads the layer JSON from /attack-layer.json.

Lessons learned

One use case, three sub-techniques: the framework stack is the multiplier.
Cost-of-silence: only ingest what each use case requires; justify every byte.

Built for this

Interview-grade four-phase walkthrough (Ingest → Pivot → Correlate → Disposition)
California CDT detection methodology applied to synthetic telemetry
Cross-source proof: same Sigma rule covers Windows AD, FTP, and WordPress
MaGMa lifecycle + metrics rendered as a live sidebar

Built on

MITRE ATT&CK taxonomy + Navigator embed
MaGMa lifecycle framework
Sigma rule format + SPL search syntax

Most SOCs drown in alerts because there is no shared language for what to detect, why, or how well. Four frameworks fix that — each one solving a problem the others do not.

Skip to the walkthrough →

The stack

Kill Chain (where) → ATT&CK (what) → MaGMa (how it is managed) → ATC (the deliverables that prove it). Four frameworks, one analytical stack — not interchangeable layers.

01Lockheed Kill Chain
Where in the attack lifecycle.
Highlighted phase row in Step 3.
lockheedmartin.com ↗
02MITRE ATT&CK
What, specifically, the adversary is doing.
Tactic → Technique → Sub-technique badges in Step 3.
attack.mitre.org ↗
03FI-ISAC MaGMa
How the detection is managed once it ships.
Lifecycle sidebar in Steps 3–4: stage, drivers, effectiveness / implementation / coverage.
betaalvereniging.nl ↗
04Atomic Threat Coverage
How the detection is delivered — as code, not a wiki page.
Six artifact tabs in Step 4: Sigma, SPL, Logging, Trigger (ART), Response, Hardening.
github.com/atc-project ↗

Walkthrough

L1L1.CACredential AccessL2L2.CA.001Brute-force authentication attemptsL33 scenarios(L3.CA.001.WIN)

Step 1 — Ingest

36 events from a 4-hour window

Source: Windows Security log. The cluster you're hunting is hidden in here. Filter to seeded events to skip ahead, or scroll to see what real triage looks like.

Only show flagged events (28 of 36)

120 events × 90 days × 50 hosts ≈ 540K events / month. Surgical ingestion — only the IDs the use case needs — is the discipline that keeps Splunk pricing sane.

Time	Source	Event	User	Src IP	Message
09:02:11	windows	4624Logon success	kbenson	10.42.7.18	Successful network logon
09:14:43	windows	4624Logon success	lcarter	10.42.7.21	Successful network logon
09:32:08	windows	4624Logon success	mdavis	10.42.9.103	Successful RemoteInteractive logon
10:05:51	windows	4634Logoff	kbenson	—	Account logged off
10:18:22	windows	4624Logon success	nedwards	10.42.7.55	Successful network logon
11:15:02	windows	4625Logon failure	jadams	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:15:14	windows	4625Logon failure	kbenson	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:15:25	windows	4625Logon failure	lcarter	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:15:38	windows	4625Logon failure	mdavis	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:15:49	windows	4625Logon failure	nedwards	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:16:02	windows	4625Logon failure	ofranklin	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:16:15	windows	4625Logon failure	pgomez	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:16:28	windows	4625Logon failure	qhall	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:16:41	windows	4625Logon failure	rivanov	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:16:54	windows	4625Logon failure	sjensen	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:17:08	windows	4625Logon failure	tkim	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:17:21	windows	4625Logon failure	ulopez	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:18:02	windows	4625Logon failure	jadams	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:18:42	windows	4625Logon failure	kbenson	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:19:31	windows	4625Logon failure	mdavis	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:21:14	windows	4625Logon failure	ofranklin	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:23:02	windows	4625Logon failure	qhall	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:24:55	windows	4625Logon failure	rivanov	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:26:18	windows	4625Logon failure	sjensen	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:28:42	windows	4625Logon failure	tkim	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:30:11	windows	4625Logon failure	ulopez	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:32:24	windows	4625Logon failure	jadams	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:34:08	windows	4625Logon failure	lcarter	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:36:51	windows	4625Logon failure	nedwards	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:38:42	windows	4625Logon failure	pgomez	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:40:31	windows	4625Logon failure	jadams	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
11:42:08	windows	4624Logon success	jadams	198.51.100.42	Successful network logon — flagged: matches preceding 30-min failure burst
11:43:22	windows	4625Logon failure	kbenson	198.51.100.42	Account failure: bad password (substatus 0xC000006A)
12:01:51	windows	4624Logon success	ofranklin	10.42.9.211	Successful network logon
12:34:08	windows	4634Logoff	lcarter	—	Account logged off
12:55:42	windows	4624Logon success	pgomez	10.42.7.31	Successful RemoteInteractive logon

Coverage

ATT&CK Navigator

Live coverage layer rendered against the official MITRE ATT&CK matrix. Teal cells are directly covered by this lab's detection-as-code; cyan cells are adjacent techniques observed downstream. Layer JSON is at /attack-layer.json.