Students · Walkthrough

Walkthrough: the SSH brute-force lab

This is the full play-by-play of your first lab, end to end. Follow along in your own sandbox — by the end you'll have worked a real incident and submitted a graded disposition.

The scenario

An attacker is trying to break into a server by guessing the password for the root account — hammering it with login attempt after login attempt. This is a brute-force attack, and it maps to the MITRE ATT&CK technique T1110 · Brute Force. Your job is to spot it, confirm it's real, and call it correctly.

Step 1 — Start the lab

1. Open learn.24observe.com and sign in.
2. In the left sidebar, open Training → Labs.
3. Find your assigned lab card and click Start lab.

Starting the lab generates real authentication telemetry in your private sandbox. Nothing is faked or pre-recorded — the same machinery that protects a production environment is now watching your sandbox.

Step 2 — Find the incident

Once the activity crosses the detection's threshold, an incident opens automatically. Go to Monitoring → Incidents in the sidebar. You're looking for something like:

Log alert: Authentication brute-force [T1110] (25 matches in 300s)

Open it. The incident is your case file: it tells you which detection fired, how severe it is, when it started, and the ATT&CK technique it's associated with.

Step 3 — Investigate the evidence

Before you decide anything, gather the facts. A good SOC analyst can answer four questions about any alert:

• What happened? Repeated failed authentications for the root user.
• From where? A single source IP — in this scenario, 203.0.113.66 — is responsible for all of them.
• How much? 25 failed attempts. The detection only fires above 20 in its window, so this cleared the bar.
• How fast? All of it inside a 5-minute window. No human logs in 25 times in five minutes — this is automated.

Put those together and a picture forms: one machine, relentlessly guessing the most privileged account's password, far faster than a person ever would. That is the signature of a brute-force attack.

Step 4 — Submit your disposition

Back on your lab card in Labs, you'll now see a disposition form. A disposition is your verdict on the incident. Your options:

• True positive — a real threat. (This is the correct call here.)
• False positive — the detection fired, but the activity is harmless.
• Benign — expected, legitimate activity.
• Duplicate — the same issue as another open incident.

Select True positive, then write a short rationale that cites your evidence. A strong rationale names the specifics:

25 failed root logins from a single source IP (203.0.113.66) inside five minutes — well over the brute-force threshold of 20, and far faster than any human. This is a credential brute-force attempt (T1110), not benign noise.

Click Submit disposition.

Step 5 — Read your score

You're graded instantly, out of 100:

• 70 points — your disposition matches the scenario's ground truth.
• 30 points — your rationale is specific and evidence-bearing (a one-word answer scores low here).

You'll also see the AI analyst's own verdict next to yours. Where you and the AI agree, you've got confirmation. Where you differ, that gap is the most valuable thing on the page — dig into who's right and why.

That's a full investigation. The method you just used — gather evidence, answer the four questions, form a call, justify it — is exactly how SOC analysts work every alert, every day. Next, go deeper on the technique itself in Investigating incidents.