https://cyberdefenders.org/labs/39
A financial company was compromised, and they are looking for a security analyst to help them investigate the incident. The company suspects that an insider helped the attacker get into the network, but they have no evidence.
The initial analysis performed by the company's team showed that many systems were compromised. Also, alerts indicate the use of well known malicious tools in the network. As a SOC analyst, you are assigned to investigate the incident using QRadar SIEM and reconstruct the events carried out by the attacker.
There's a video on how to properly set up the virtual box and gain access to the QRadar platform:
I've used ELK and Splunk before, but never QRadar, so this is all new to me. My first thought for log sources was to check the Admin console, as that is where any configuration for log sources would be. Sure enough, on the left menu was Data Sources, and then an option for Log Sources.
This opened a popup with a list of log sources - and our answer.
15