Detailed tables for events, attack scenarios, and synthetic alerts generated by sample-data.js.
| Package | Event types generated |
|---|---|
system |
SSH auth success/failure, process start, syslog |
endpoint |
Process exec, network connection, file creation |
windows |
Logon 4624/4625, process creation 4688 |
aws |
CloudTrail: ConsoleLogin, AssumeRole, API calls |
okta |
Session start, MFA auth, account lock/password change |
All events use RFC 5737 / RFC 2606 safe addresses to avoid triggering real security alerts.
Correlated, multi-step event sequences that mirror real-world attack chains. Events are indexed into standard data streams with field values that resemble patterns targeted by prebuilt detection rules, providing realistic log activity for dashboards and Discover.
| Scenario | Attack chain | Rules targeted |
|---|---|---|
windowsCredentialAccess |
Failed logins, success, encoded PowerShell, scheduled task, LSASS dump, SAM export | Credential Dumping, Suspicious PowerShell, Scheduled Task Persistence |
awsIAMEscalation |
Console login without MFA, create IAM user, attach admin policy, create access keys, turn off trail | AWS Console Login Without MFA, IAM Privilege Escalation, CloudTrail Logging Off |
oktaAccountTakeover |
10 failed logins, 5 MFA push rejections, successful login, admin role grant, policy modification | Okta Brute Force, MFA Bombing, Admin Role Assigned |
ransomwareChain |
Phishing macro, encoded PowerShell, LSASS dump, C2 beacon, shadow copy deletion, file encryption, ransom note | Macro Execution, LSASS Dump, C2 Beacon, Volume Shadow Copy Deletion, Ransomware |
Alert documents indexed directly into .alerts-security.alerts-default with MITRE ATT&CK mappings, risk scores, and
severity levels. These power Attack Discovery without waiting for detection rules to fire.
| Alert scenario | Alerts generated | Severities |
|---|---|---|
credentialAccessAlerts |
Windows brute force, encoded PowerShell, scheduled task, LSASS dump, SAM export | high, high, medium, critical, critical |
awsEscalationAlerts |
Console login without MFA, IAM user created, admin policy attached, CloudTrail turned off | high, medium, critical, critical |
oktaTakeoverAlerts |
Brute force, MFA bombing, admin role grant, policy modification | high, high, critical, high |
ransomwareAlerts |
Macro execution, C2 beacon, LSASS dump, shadow copy deletion, file encryption, ransom note | high, critical, critical, critical, critical, critical |