# ThreatLab ## Docs - [Bootstrap the First ThreatLab Admin Account via SQL](https://docs.samschroeder.lu/admin/bootstrapping.md): Promote the first user to admin via a SQL command so you can configure roles, SIEMs, and exercises after your initial ThreatLab deployment. - [Create and Manage Custom Permission Roles in ThreatLab](https://docs.samschroeder.lu/admin/roles.md): Create custom permission and title roles, assign capabilities, and control exactly what each team member can see and do in ThreatLab. - [Configure SIEM Log Destinations and Delivery Resources](https://docs.samschroeder.lu/admin/siem-resources.md): Add Splunk, syslog TCP, and Elasticsearch destinations so ThreatLab can ship exercise log archives and analysts investigate real events in their SIEM. - [Manage Analyst Users, Roles, and Access in ThreatLab](https://docs.samschroeder.lu/admin/user-management.md): Add analysts to your team, assign roles, ban accounts, and audit each analyst's exercise history from the ThreatLab Users admin panel. - [ThreatLab API Authentication — Cookies and Tokens](https://docs.samschroeder.lu/api/authentication.md): ThreatLab API uses session cookies for browser requests and a Bearer token for automated POST /api/noise/run calls from pg_cron or scripts. - [GET /api/health — ThreatLab Health Check Endpoint](https://docs.samschroeder.lu/api/health.md): GET /api/health returns HTTP 200 with ok: true when the ThreatLab server is running. No authentication required. Use for load balancer probes. - [POST /api/noise/run — Trigger a Noise Log Dispatch](https://docs.samschroeder.lu/api/noise-run.md): POST /api/noise/run executes a noise log dispatch job, shipping LEEF events from stored archives to one or more SIEMs. Accepts Bearer token auth. - [ThreatLab REST API — Endpoints and Response Reference](https://docs.samschroeder.lu/api/overview.md): ThreatLab exposes REST endpoints to ship exercise archives to SIEMs, run noise jobs, stream platform status events, and check server health. - [GET /api/platform-status/events — Health SSE Stream](https://docs.samschroeder.lu/api/platform-status-sse.md): GET /api/platform-status/events streams real-time Icinga 2 platform health events as Server-Sent Events for any authenticated ThreatLab user. - [POST /api/sessions/start — Ship Archive to a SIEM](https://docs.samschroeder.lu/api/sessions-start.md): POST /api/sessions/start downloads a signed archive and ships its log events to a SIEM. Returns event counts and shift days. Requires manage_exercises. - [DELETE /api/sessions — Wipe Exercise Logs from SIEMs](https://docs.samschroeder.lu/api/sessions-wipe.md): DELETE /api/sessions wipes log data from Splunk or Elastic indexes and re-fires noise jobs with propagate_on_wipe enabled. Requires manage_exercises. - [Changelog](https://docs.samschroeder.lu/changelog.md): Product updates and release notes for ThreatLab. - [ThreatLab Exercises: SOC Training Scenarios Explained](https://docs.samschroeder.lu/concepts/exercises.md): Exercises are ThreatLab's core training unit — realistic SOC scenarios with ordered investigation steps, log archives, and expected artifacts to submit. - [Learning Paths: Guided Exercise Sequences in ThreatLab](https://docs.samschroeder.lu/concepts/learning-paths.md): Learning paths sequence exercises into guided curricula with automatic unlock logic so analysts progress through scenarios in a deliberate order. - [ThreatLab Roles and Capabilities: Permission Model](https://docs.samschroeder.lu/concepts/roles-capabilities.md): ThreatLab uses a capability-based permission model. Roles bundle capabilities; a user's effective permissions are the union of all their assigned roles. - [SIEM Integrations: Splunk, QRadar, and Elasticsearch](https://docs.samschroeder.lu/concepts/siem-integrations.md): ThreatLab ships exercise log archives to your SIEM so analysts investigate real events. Supports Splunk HEC, syslog TCP, and Elasticsearch bulk indexing. - [Configure ThreatLab for Your Organization's SOC Team](https://docs.samschroeder.lu/configuration.md): Set up SIEM destinations, noise log jobs, and user roles to tailor ThreatLab for your security team's training workflow and analyst onboarding experience. - [Authoring Exercises: Build Realistic SOC Scenarios](https://docs.samschroeder.lu/guides/authoring-exercises.md): Create exercises with log archives, ordered steps, expected artifacts, and MITRE tags. Requires the manage_exercises capability to author. - [Direct Messages: Encrypted Analyst Team Collaboration](https://docs.samschroeder.lu/guides/direct-messages.md): Send end-to-end AES-256-GCM encrypted direct messages to teammates in ThreatLab with real-time delivery and sidebar unread badge notifications. - [Noise Log Jobs: Populate Your SIEM With Baseline Traffic](https://docs.samschroeder.lu/guides/noise-logs.md): Schedule recurring background LEEF log dispatches to Splunk, QRadar, or Elasticsearch so your SIEM always contains realistic baseline traffic. - [Monitor Platform Health with the ThreatLab Status Page](https://docs.samschroeder.lu/guides/platform-status.md): The platform status page shows live Icinga 2 health data for your hosts and services, updated in real time via an SSE stream from ThreatLab. - [Running ThreatLab Exercises: Analyst Workflow Guide](https://docs.samschroeder.lu/guides/running-exercises.md): Start an exercise, investigate log events in your SIEM, submit step artifacts, and complete the scenario to earn points and record your progress. - [ThreatLab Introduction: SOC Training for Security Teams](https://docs.samschroeder.lu/introduction.md): ThreatLab is an operator console for SOC training. Build investigation exercises, ship log archives to your SIEM, and track analyst skill development. - [Get Started with ThreatLab: Your First Investigation](https://docs.samschroeder.lu/quickstart.md): Sign in to ThreatLab, explore the exercise catalog, launch your first investigation, and submit your findings to earn your first leaderboard points. - [Diagnose and Fix ThreatLab Login and Access Issues](https://docs.samschroeder.lu/troubleshooting/auth-issues.md): Fix login failures, unexpected session logouts, 403 Forbidden errors, and missing sidebar navigation items in ThreatLab for analysts and admins. - [Diagnose and Fix Common ThreatLab Issues and Errors](https://docs.samschroeder.lu/troubleshooting/common-issues.md): Solutions to the most common ThreatLab problems: archive upload failures, exercise download errors, artifact submission rejections, and more. - [ThreatLab SIEM Errors: Connection and Shipping Fixes](https://docs.samschroeder.lu/troubleshooting/siem-errors.md): Diagnose and fix errors when ThreatLab ships log archives to Splunk, QRadar, or Elasticsearch, including connection failures and wipe issues.