Finding exercises
Navigate to Exercises in the left sidebar to browse the full catalogue. Each exercise card shows the title, difficulty level, estimated duration, point value, and MITRE ATT&CK tags. Use the tags and difficulty filter to find scenarios that match your current learning goals. Learning Paths organise exercises into a recommended sequence. If your administrator has set up a learning path, follow it in order — each exercise unlocks the next as you complete it.Starting an exercise
Open the exercise detail page
Click the exercise title from the catalogue or learning path view. The detail page shows the full description, MITRE tags, and the ordered list of investigation steps you will work through.
Click Start
Click the Start button. ThreatLab creates a session and ships the exercise log archive to your configured SIEM destination. Depending on archive size, shipping may take a few seconds.
Locate the logs in your SIEM
Once the archive is shipped, the exercise page shows the index name or sourcetype where the logs were ingested. Open your SIEM and search that location to confirm the data has arrived before you begin investigating.
Investigate and work through each step
Read each step’s investigation prompt, search the logs in your SIEM, and record the artifact value you discover. Submit the value in the artifact field for that step. When you are ready to move on, proceed to the next step — partial progress auto-saves so you can close the browser and return later.
Starting an exercise ships real log data to your organisation’s SIEM. Check with your administrator before starting exercises in a production environment — use a dedicated training index or destination to avoid mixing exercise data with live operational data.
Section shipment status
Some exercises stage their log archives in multiple sections that ship at different points during the attempt — for example, releasing later evidence only after you have submitted earlier artifacts. When an exercise uses staged shipping, the exercise detail page shows a section shipment panel that tells you, per section, exactly what is happening with its logs. Each section row displays one of five states:| State | What it means |
|---|---|
| Not due | The section is waiting on a release delay. Its logs will ship automatically once the delay elapses. |
| Waiting on artifact | The section is gated on one or more expected artifacts. The panel lists which artifacts still need to be submitted before the logs ship. |
| Shipping | The section is eligible and ThreatLab is currently sending the archive to your SIEM. |
| Shipped | The section’s logs are in your SIEM and ready to investigate. |
| Failed | An upload attempt failed. ThreatLab will retry automatically — no action is needed from you. |
Manually pushing logs
If you click Ship logs to SIEM during an attempt, ThreatLab returns one of the following explicit reasons so you know exactly what happened:| Reason | Meaning |
|---|---|
shipped | At least one section was just shipped to your SIEM. |
partial | Some sections shipped, but others were already shipped earlier. |
already_shipped | Every section that is eligible right now has already been shipped. |
not_due | No section is currently due — they are all still inside their release delay. |
waiting_on_artifacts | Sections are eligible only once you submit the gated artifacts. Keep investigating. |
shipping | A previous shipment is already in flight; ThreatLab will not duplicate it. |
cooldown_skipped | The destination SIEM is inside its dedupe cooldown window; no new upload was needed. |
failed | A shipment attempt failed. ThreatLab will retry; check the section shipment panel for details. |
Working through steps
Steps appear in order on your exercise workspace. Each step includes an investigation prompt that describes what you are looking for, and an artifact submission field where you enter your answer. Submissions are checked case-insensitively — capitalisation differences will not cause a correct answer to be rejected. Your progress auto-saves after each accepted submission, so closing the page does not lose your work.Investigation notebook
Your exercise workspace includes a private notebook where you can write notes as you investigate. To open it, click Notebook from the exercise workspace toolbar.Notebook entry categories
Notebook entry categories
- Observation — raw data points you notice in the logs
- Hypothesis — possible explanations you are testing
- Finding — confirmed conclusions from your investigation
- Other — anything that does not fit the above categories
review_notebooks capability can read them if your organisation uses a supervised training model, so treat your notebook as a professional working document.
Completing an exercise
When all step artifacts have been submitted and accepted, ThreatLab automatically records your completion, awards the exercise’s point value to your account, and updates the leaderboard. The exercise moves to your History page where you can review your submitted artifacts and the time you took.Redoing an exercise
Open a completed exercise and click Redo to start a fresh session. ThreatLab creates a new session and ships the archive again. If you have theforce_siem_push capability, the platform bypasses the normal upload cooldown between sessions.