Palo Alto Networks Cybersecurity Academy

Welcome Back, Detective! 🔧

You've learned about IP addresses and domain names. Now let's explore the tools and logs SOC analysts use every day!

⚔️ The Attacker's Playbook: The Kill Chain

Scroll down to explore

Before we learn about defensive tools, let's understand how attackers think. Every attack follows a pattern called the Kill Chain.

🎯 Why This Matters

The attacker has a plan. Your job is to detect them early and disrupt that plan before they reach their goal!

Click each stage to learn about it:

1
🔍
Recon
Research target
2
🔧
Weaponize
Create attack
3
📧
Deliver
Send attack
4
💥
Exploit
Victim triggers
5
🎮
Control
Take over

🎯 Know Your Kill Chain

Scroll down to complete the matching

Before we learn the defensive tools, let's make sure you've got the Kill Chain stages down! Match each stage to its description.

🗡️ Kill Chain Stage
🔍 Reconnaissance
🔧 Weaponization
📧 Delivery
💥 Exploitation
🎮 Command & Control
📝 What Happens
"Special Delivery" - Attack sent via email, website, or USB
"Taking Over" - Attacker gains remote access to your network
"Casing the Joint" - Attacker researches the target
"Breaking In" - Victim triggers the attack (clicks link, opens file)
"Building the Attack" - Attacker creates malware (off-network!)

Match all stages (0/5 matched)

📋 Authentication Logs: The Digital Sign-In Sheet

Scroll down to use the terminal

Authentication logs record every single login attempt. Think about when you sign in at the front desk of an office building - they write down your name, the time, and who you're visiting.

🏢 Real-World Analogy

Just like a building's front desk keeps a visitor log, our systems automatically record: WHO logged in, WHEN they logged in, and WHERE they logged in from.

Use the terminal to search authentication logs:

analyst@soc-workstation: ~/logs
analyst@soc:~/logs$

👆 Click all 3 command buttons above to search authentication logs

🌐 Web Traffic Logs: The Internet Hall Monitors

Scroll down to use the terminal

Use the terminal to search web proxy logs:

analyst@soc-workstation: ~/proxy-logs
analyst@soc:~/proxy-logs$

👆 Click both command buttons above to search web proxy logs

🧱 Firewall: The Digital Bouncer

Scroll down to block IPs

A firewall is like a security guard at the entrance to our network. It checks everyone trying to get in and decides: allowed or not allowed?

🚪 Club Bouncer Analogy

Think about a club with a bouncer and a "banned" list. If someone caused trouble before, the bouncer adds their name to the list. Next time they show up - no entry!

Click malicious IPs to add them to the blocklist:

Incoming Traffic

192.168.1.50 (Internal)
185.220.101.50 (Russia - Known Bad)
8.8.8.8 (Google DNS)
45.33.32.156 (Malware C2)
🧱

Blocklist

Block all malicious IPs to continue

📬 Alert Queue: Prioritize the Threats

Scroll down to prioritize alerts

Every time our systems detect something suspicious, it creates an alert. SOC analysts must prioritize which alerts to investigate first!

⚠️ The Alert Fatigue Problem

SOC analysts can get hundreds of alerts per day. You can't investigate them all at once - you need to rank them by priority and tackle the most critical ones first!

Critical
High
Medium
Low
Drag alerts up or down to rank them: Top = Most Urgent
1
Impossible Travel: Mike Johnson logged in from Russia
Critical • Active compromise indicator • 2 min ago
2
Multiple failed logins: admin account
High • Possible brute force • 15 min ago
3
User clicked known phishing link
Medium • User education needed • 1 hour ago
4
Software update available
Low • Maintenance task • 3 hours ago
5
Outbound connection to suspicious IP
High • Possible C2 communication • 4 hours ago

🎯 Connecting the Dots: Offense ↔ Defense

Scroll down to complete the synthesis

You've learned the Kill Chain (how attackers think) AND the SOC tools (how we defend). Now let's put it all together!

💡 The Big Picture

At each attack stage, there are specific signs we look for. Match each stage to what we'd detect!

Note: Weaponization happens off-network, so it's not in this exercise - we can't detect what we can't see!

🗡️ Attack Stage
🔍 Recon - "Casing the joint"
📧 Deliver - "Special delivery"
💥 Exploit - "Breaking in"
🎮 Control - "Taking over"
🛡️ What We Detect
📡 Suspicious outbound connections
🌐 Port scans & network probes
🔐 Unauthorized login attempts
📬 Malicious emails & downloads

Match all items (0/4 matched)

🎯 Knowledge Check

Answer these questions to earn your Log Analyst Certificate!

Scroll down to the quiz
📊

Log Analyst Certificate

Security Operations Fundamental Series - Module 3 Complete

Bronze Level

Your Name

Has demonstrated understanding of the Kill Chain, authentication logs, web proxy logs, firewalls, and alert management.

Scroll down to continue

What's Next?

In Module 4: Your First Case, you'll put all these skills together to investigate a real phishing attack!