soc30 / lms
connected
back to day 12
WEEK_2 · DAY_12 · LAB

Lab 12 — Build a Lookup & Macro

Fields, lookups, event types, tags, macros, data models

LAB PROGRESS0/4 steps · 0%

Lab Objectives

  • Build search-time field extractions
  • Define event types and tags for normalization
  • Author macros for reusable SPL
  • Understand data models and the Common Information Model (CIM)

Lab Instructions

  1. 1
    Imagine assets.csv with columns ip, hostname, owner, criticality.
  2. 2
    Define an automatic lookup that enriches src_ip in firewall events.
  3. 3
    Author a macro `high_value_assets` returning criticality=high hosts.
  4. 4
    Use the macro in a search.
← LAB 11
Lab 11 — Hunt with Advanced SPL
LAB 13
Lab 13 — Build a SOC Dashboard