How We Generate Simulated SIEM Alerts

Cybersecurity training needs to go beyond theory; It should replicate real-world incidents, requiring trainees to analyze logs, investigate threats, and respond as if they were in a real Security Operations Center (SOC). At LetsDefend, we engineer highly realistic SIEM alert scenarios that help learners develop the skills needed to detect and mitigate cyber threats.

In this post, we’ll walk you through the behind-the-scenes process of how we create SIEM alerts; from initial research to crafting realistic attack simulations, extracting logs from real EDR environments, and generating alerts that mimic real-world threats.

‍

‍

1. Research

The foundation of every SIEM alert we generate is a deep understanding of real-world cyber threats. Before creating any SIEM alert, we conduct thorough research to ensure it reflects real-world cyber threats. Our process includes:

• Tracking Threat Intelligence Reports – We monitor APT campaigns, zero-day exploits, and malware trends from security firms, blogs, and industry reports.
• Analyzing CVE Disclosures – We prioritize actively exploited vulnerabilities and test their real-world impact in our controlled lab.
• Reverse Engineering Malware – We analyze malware behavior to extract Indicators of Compromise (IOCs), persistence methods, and evasion techniques.
• Mapping to MITRE ATT&CK – Each attack scenario is aligned with MITRE tactics & techniques, ensuring industry relevance.
• Covering Diverse Environments – While most of our alerts focus on Windows and Linux, we also explore threats targeting cloud platforms, network appliances (e.g., PAN-OS, FortiOS), and industrial systems.

‍

By combining intelligence from real incidents, emerging threats, and exploit testing, we ensure our SIEM alerts are timely, realistic, and aligned with modern cybersecurity challenges.

‍

2. Building the Environment and Attack Simulation

To ensure each SIEM alert accurately reflects real-world cyber threats, we construct a dedicated vulnerable endpoint tailored to the specific attack scenario. This phase involves setting up an environment where real malware can be deployed, malicious emails can be sent, and security detections can be tested in a controlled manner. Our process includes:

• Developing or Deploying Real Malware: Depending on the attack type, we either write custom malware or use real-world samples to test how security tools respond to different threat behaviors.
• Generating Phishing Emails and Attachments: We craft highly realistic spear-phishing emails embedded with malicious payloads. These emails contain files that mimic the tactics used by cybercriminals, ensuring authenticity.
• Exploiting Vulnerabilities: For attacks leveraging known CVEs, we build a fully functional vulnerable endpoint, execute the exploit, and monitor its impact on a real EDR system.
• Testing and Capturing Logs: We analyze how different security solutions detect and log each attack, ensuring that the resulting SIEM alerts provide meaningful insights for investigation.

‍

By meticulously crafting and testing each attack scenario, we ensure that our SIEM alerts offer trainees the closest possible experience to real-world incident response, allowing them to sharpen their investigative and mitigation skills.

‍

3. Attack Simulation

To ensure realism, our attack simulations follow a structured kill chain that mimics real-world adversary behavior. Each attack progresses through multiple MITRE ATT&CK techniques, covering various phases from Initial Access to Exfiltration.

Our methodology includes:

• Executing Multi-Stage Attacks – Simulating real intrusion chains that move from initial foothold to persistence, lateral movement, and data exfiltration.
• Using Specially Crafted Malware – Developing or modifying real malware to trigger endpoint security detections while ensuring the attack behaves like a real-world threat.
• Leveraging C2 Frameworks – Deploying well-known and custom Command & Control (C2) tools to simulate how attackers maintain access and execute post-exploitation techniques.
• Weaponizing Exploits & Payloads – Testing CVEs and custom payloads to evaluate how well security products detect and respond to exploits.
• Emulating Evasion Techniques – Using anti-analysis methods like obfuscation, process injection, and LOLBins (Living-off-the-Land Binaries) to bypass defenses.

To validate accuracy, we execute simulated attacks in environments equipped with real security products, including Extended Detection and Response (XDR) systems. This allows us to:

• Observe Real-Time Detection: Assess how security tools identify and respond to the simulated attack.
• Collect Authentic Logs: Gather logs and alerts generated during the attack for use in training scenarios.
• Refine Detection Rules: Adjust and fine-tune detection mechanisms to ensure they effectively identify the threat.

‍

By integrating real security tools into our simulations, we provide learners with an environment that closely resembles actual SOC operations, enhancing the practical value of our training.

‍

‍

4. Generating Logs

Cyber incidents leave behind traces in system logs, network traffic, and security tools. To create a realistic training environment, we generate synthetic logs that accurately mimic real-world attack behaviors. This ensures that trainees learn how to analyze log data effectively, just as they would in a real Security Operations Center (SOC). Our log generation process includes:

• Custom Log Generators: We use internal tools to generate Windows Event Logs, Sysmon logs, firewall logs, and EDR telemetry that align with known attack patterns.
• Replay of Real Attacks: We reconstruct log trails from historical cyber incidents, modifying them to create unique yet realistic variations for training.
• Automated Data Injection: We execute controlled attack scripts in sandbox environments, capturing authentic logs that we refine for practical use.
• Simulating Adversary Behavior: Logs are enriched with behaviors aligned to MITRE ATT&CK tactics, including process injections, privilege escalations, and lateral movement.
• Network Traffic Analysis: For attacks involving C2 (Command and Control) communication, DNS tunneling, or data exfiltration, we generate realistic network logs to mirror these threats.
• Anomaly Detection Integration: To train analysts in detecting stealthy threats, we include behavioral anomalies in logs, such as unusual login attempts or unauthorized access patterns.

‍

For example, when simulating a ransomware attack, we generate logs that highlight:

‍
✅ File encryption activity captured in Sysmon and EDR logs.
✅ Suspicious PowerShell execution in Windows Event Logs.
✅ External C2 traffic detected in firewall logs.
✅ Credential dumping attempts logged by security monitoring tools.
✅ Persistence mechanisms such as registry modifications and scheduled tasks.

‍

‍

We utilize internal tools with AI-assisted log generation to create custom logs based on specific attack details and timelines. This enables the fast creation of realistic log data, enhancing the depth and variety of our SIEM training scenarios. We generate both malicious and benign logs, accurately reflecting real-world systems.

‍

5. Generating The SIEM Alert

Once the logs have been collected and the attack has been fully analyzed, the next step is to generate the SIEM alert. This is where the raw data comes to life and is transformed into a structured alert that mirrors what analysts would see in a real-world Security Operations Center (SOC).

‍

‍

Next, we design the alert logic, which involves crafting correlation rules and detection signatures that closely resemble those found in enterprise SIEM and XDR solutions. We then focus on ensuring data integrity, aligning timestamps, IP addresses, process details, and other log information across the entire alert to create a smooth and coherent investigation flow.

‍

In addition to this technical accuracy, we add important context to the alert, such as metadata like affected hosts, users, processes, and file hashes. This gives analysts the complete picture and allows them to dive deeper into the investigation. For Tier 1 security analyst alerts, we guide the investigation, offering insights into the incident and suggesting the next steps. 

‍

‍

For Tier 2 incident responder alerts, we incorporate SOC L1 notes, offering additional context to support the incident response process. This structured approach not only ensures that our SIEM alerts are realistic but also helps analysts at different tiers develop the skills needed for effective incident detection and response.

We even provide enough detail within the alerts to enable the generation of a Sigma rule, which can be used to detect similar attacks in the future. This makes the alert not only a training tool but also a practical resource for improving detection capabilities.

This detailed, structured approach ensures that our SIEM alerts are not only realistic but also offer SOC analysts at every level the opportunity to practice and refine their skills in investigating and responding to real-world cyber threats.

‍

‍

6. Playbooks for Investigation

We don’t just generate logs and alerts—we structure entire investigation workflows on Playbooks to train users on real SOC tasks.

‍

Each training scenario includes:
✔️ An alert that kicks off an investigation
✔️ Log sources for deeper analysis (Windows logs, Sysmon, proxy logs, etc.)
✔️ Guided playbooks to help trainees follow an incident response methodology
✔️ Realistic attacker behavior, so users must pivot between different log sources to track the threat

‍

‍

Example scenario: Credential Dumping Investigation

‍
1️⃣ The trainee receives an alert for Mimikatz execution on a domain controller.
2️⃣ They check Windows Event Logs to confirm the process execution.
3️⃣ They correlate with Sysmon logs to trace the attacker’s next steps.

This approach ensures users develop analytical skills rather than just following a step-by-step tutorial.

‍

7. Preparing Official Incident Reports

Each SIEM alert we create comes with a detailed official incident report crafted by security professionals. These reports serve as a blueprint for investigation, guiding analysts through the entire process of responding to an alert.

Each SIEM alert includes a detailed incident report that guides analysts through:

• Detection: How the attack was identified, including triggered SIEM rules and log sources.
• Analysis: Step-by-step breakdown of attacker actions.
• Containment: Recommended actions to stop the threat.
• Lessons Learned: Key takeaways for future defense.

‍

In the end, we provide MITRE techniques and IOCs to help analysts improve detection and response.

‍

Final Thoughts: Bringing Real-World Cybersecurity Training to Learners

Most traditional cybersecurity courses focus on theoretical knowledge and predefined exercises. However, real-world cyber incidents are unpredictable. Analysts need hands-on experience investigating complex security alerts, sifting through noisy logs, and making quick, data-driven decisions.

‍

Behind every LetsDefend training scenario is a complex engineering process that combines:

✅ Research‍

✅ Building Environment

‍✅ Attack simulation

‍✅ Log generation

‍✅ SIEM alert creation

‍✅ Guided investigations via Playbooks

‍✅ Alerts with Official Incident Reports

‍

Our approach ensures that learners develop the practical skills needed to succeed in real-world cybersecurity roles. With each simulated attack, trainees gain valuable insights and experience, preparing them to handle even the most challenging incidents confidently. At LetsDefend, we’re not just teaching cybersecurity; we’re shaping the next generation of skilled blue teamers.

‍