Scenario: Hybrid Golden Saml
Status: Scaffold — content in progress
Lab: [Link to lab]
ATT&CK: [Technique IDs]
Difficulty: [Beginner / Intermediate / Advanced]
Estimated Time: [X] minutes
Narrative
[Realistic threat scenario context]
Pre-Exercise Checklist
- Lab environment running
- SIEM receiving logs
- Attack tools available
- Clean snapshot taken
Attacker Steps
[Numbered steps with commands, ATT&CK tags, and expected log events]
Defender Monitoring Checklist
[What to look for in SIEM at each step]
Expected Detection Results
| Step | Detection Coverage | DRL |
|---|---|---|
| [Fill in] | [Fill in] | [Fill in] |
After-Action Review Template
Date:
Lab Operator:
Gaps Identified:
Improvements:
Cross-Links
| Topic | Link |
|---|---|
| Simulation Framework | simulation-framework |