SOCLabs launches Challenge #140

Detection engineers write the rules that tell security tools which log patterns look like an attack, and SOCLabs has opened a new practice case built around that work. (soc-labs.top) SOCLabs says its platform is built for hands-on detection engineering, with exercises that use “real-world threat data” instead of toy examples. The site says users can start challenges, test rules, and work across major security query languages. (soc-labs.top) Those query languages are the grammar security teams use to search logs: Splunk’s Search Processing Language searches indexed events, Sigma describes detections in a vendor-neutral format, and Microsoft has published ways to convert Sigma rules into Kusto Query Language for Microsoft Sentinel. (docs.splunk.com) (sigmahq.io) (techcommunity.microsoft.com) Elastic’s Event Query Language adds another layer by letting analysts describe relationships between events over time, not just single log entries. That matters in intrusion detection because many attacks show up as a sequence, such as one process spawning another and then modifying a file. (elastic.co 1) (elastic.co 2) SOCLabs says the hard part of detection engineering is not writing one clean rule on paper but tuning it against noisy, production-like telemetry. Its about page lists “command variant complexity,” the gap between theory and enterprise data, and the time needed to build test labs as the main obstacles. (soc-labs.top) The platform’s challenge pages show what that looks like in practice. One exercise on deleting Amazon Route 53 Domain Name System query logs was updated on March 15, 2025, lists 1,234 submissions, and shows a 67.5 percent pass rate. (soc-labs.top) That Route 53 exercise asks users to catch the `DeleteResolverQueryLogConfig` application programming interface call in Amazon Web Services CloudTrail data, a log source security teams use to track management actions in cloud accounts. The sample event on the page includes an event time of May 14, 2025 and a user agent tied to Stratus Red Team, an attack-simulation tool. (soc-labs.top) Other SOCLabs exercises use Linux Sysmon-style process logs. One page shows a `systemctl disable rsyslog` command as the suspicious action, and another uses `rm` against shell history to model an attacker trying to erase traces on a host. (soc-labs.top 1) (soc-labs.top 2) SOCLabs says its challenge system supports Sigma, OpenSearch, Splunk, and Elastic syntax, with one-click testing and scoring for false positives and accuracy. That setup turns each new challenge into a small benchmark: write the rule, run it on supplied logs, then tighten it until it catches the attack without flagging everything else. (soc-labs.top) The new challenge follows that same formula: real logs, multiple query languages, and a scoring loop that rewards tuning as much as detection. For engineers who spend their days turning raw telemetry into alerts, that is the job in miniature. (soc-labs.top)