{
  "scenario_1_triage": [
    {
      "timestamp": "2026-03-31T10:00:00Z",
      "log_type": "zeek_conn",
      "src_ip": "10.0.0.15",
      "dest_ip": "10.0.0.2",
      "dest_port": 443,
      "severity": "low",
      "context": "Standard HTTPS traffic"
    },
    {
      "timestamp": "2026-03-31T10:01:22Z",
      "log_type": "zeek_conn",
      "src_ip": "10.0.0.16",
      "dest_ip": "10.0.0.2",
      "dest_port": 80,
      "severity": "low",
      "context": "Standard HTTP traffic"
    },
    {
      "timestamp": "2026-03-31T10:05:11Z",
      "log_type": "suricata_alert",
      "src_ip": "198.51.100.44",
      "dest_ip": "10.0.0.50",
      "dest_port": 22,
      "severity": "critical",
      "context": "ET SCAN Suspicious inbound SSH brute force detected"
    }
  ],
  "scenario_2_false_positive": [
    {
      "timestamp": "2026-03-31T23:00:00Z",
      "log_type": "suricata_alert",
      "src_ip": "10.0.0.250",
      "dest_ip": "203.0.113.10",
      "dest_port": 443,
      "severity": "high",
      "context": "Massive outbound data transfer detected (Exfiltration?)",
      "host_info": "Primary Backup Server"
    }
  ],
  "scenario_3_kill_chain": [
    {
      "timestamp": "2026-04-01T08:15:00Z",
      "log_type": "email_gateway",
      "src_ip": "external",
      "dest_ip": "10.0.1.55",
      "severity": "medium",
      "context": "Phishing link clicked by user"
    },
    {
      "timestamp": "2026-04-01T08:30:00Z",
      "log_type": "zeek_conn",
      "src_ip": "10.0.1.55",
      "dest_ip": "10.0.1.0/24",
      "dest_port": 445,
      "severity": "high",
      "context": "Internal subnet SMB scanning detected"
    },
    {
      "timestamp": "2026-04-01T08:45:00Z",
      "log_type": "zeek_conn",
      "src_ip": "10.0.1.55",
      "dest_ip": "10.0.0.99",
      "dest_port": 3306,
      "severity": "critical",
      "context": "Connection attempt to Core Database Server"
    }
  ]
}