Skip to main content
ThreatLab’s configuration lives in the Admin section of the sidebar. From there, administrators control the SIEM destinations that receive exercise logs and noise traffic, the roles that govern what each analyst can do, the scheduled noise log jobs that keep your SIEM populated with baseline events, and the learning path settings that shape the onboarding experience for new analysts. This page covers each of those areas in the order you are likely to configure them.

SIEM Destinations

Navigate to Admin > Resources to manage the SIEM destinations that ThreatLab ships log archives and noise traffic to. Click Add Destination and provide a name, a driver, and the credentials for your target system. ThreatLab supports three drivers:
Connect to a Splunk HTTP Event Collector endpoint. Provide the HEC URL and your token. Choose LEEF or ECS as the payload format for events shipped to this destination.
Each destination can be set as the default target for exercise log delivery and noise dispatch independently, allowing you to route training traffic to a dedicated index or collector while keeping production data separate.

User Roles

Navigate to Admin > Roles to manage the roles available in your ThreatLab instance. Roles come in two kinds:
Permission roles carry one or more capability bundles that determine what a user can do. When a user holds multiple permission roles, their effective capability set is the union of all capabilities granted by those roles. The built-in admin and analyst roles are system roles and cannot be deleted, but you can create additional permission roles to express custom access tiers — for example, a role that grants exercise authoring without full admin access.
Title roles are cosmetic labels such as “SOC Lead” or “Instructor”. They are displayed on a user’s profile and in collaborative views, but they grant no capabilities and have no effect on authorization decisions.
For a full list of available capabilities and how to assign roles to users, see Roles.

Noise Log Jobs

Navigate to Admin > Resources > Noise Jobs to create and manage scheduled noise log dispatches. Noise jobs ship background LEEF events to a SIEM destination on a recurring schedule, giving analysts a realistic stream of baseline traffic to work against during training. When creating a job, configure the dispatch schedule using one of two formats:
Enter a number of seconds between dispatches. The value must be between 60 (one minute) and 86400 (24 hours).
Each job is linked to a SIEM destination and a noise log template. Jobs can be enabled or disabled individually without deleting them. For guidance on authoring noise log templates, see Noise Logs.

Learning Path Curation

Navigate to Admin > Learning Paths to manage the visibility and promotion of learning paths. Two special flags control how paths are surfaced to analysts:
Marking a path as curated features it prominently on the ThreatLab dashboard, making it easy for analysts to discover recommended content. This requires the curate_paths capability.
Marking a path as onboarding causes ThreatLab to suggest it automatically to analysts who have not yet completed any exercises. Use this to guide new team members toward a structured first experience. This also requires the curate_paths capability.
Only one path should be marked as the active onboarding path at a time to avoid presenting new analysts with conflicting recommendations.