Skip to content
UltiblobStatus
Back to course
Intermediate60 to 120 minutesInstructor visible

Cybersecurity Blue Team / SOC Analyst Intermediate lab 1

A learner provisions an isolated cybersecurity blue team / soc analyst environment and completes a guided operational task.

Business context

Ultiblob uses this exercise to train soc analyst and detection engineer candidates on realistic private-cloud lab operations rather than static videos.

Technical objective

Configure the core cybersecurity blue team / soc analyst services, verify health, and record the result in the lab progress view.

Student instructions

  1. 1Open the lab workspace and review the topology map.
  2. 2Launch the required templates and wait for all provisioning checks to complete.
  3. 3Complete the configuration task in the course module.
  4. 4Run validation and capture the result for instructor review.
  5. 5Create a snapshot before any risky troubleshooting or failure exercise.

Troubleshooting

  • If access fails, confirm the bastion session is active and the instance is not expired.
  • If validation fails, inspect the lab event log before rerunning the check.
  • If configuration drifts, restore the latest clean snapshot and repeat the module task.

Cleanup

  • Export notes or reports required by the instructor.
  • Restore or delete temporary snapshots created during the exercise.
  • Use the teardown action when the module is complete or allow the TTL policy to expire the lab.
Launch flow

Provisioning readiness

Pending
Waiting for launch

Click Launch lab to start the provisioning flow and watch each stage complete.

0%
  1. Request accepted
  2. Capacity reserved
  3. Templates queued
  4. Validation running
  5. Workspace ready
siem-receiving-logs
Pending
firewall-rules-active
Pending
vm-reachable
Pending

Required templates

  • SIEM/logging node - defined
  • Kali/security workstation - defined
  • Windows Server 2022 base - defined
  • Ubuntu Server 24.04 - available

Validation checks

  • SIEM receiving logs: A generated test event appears in the tenant security index.
  • Firewall rules active: Allowed path works and denied east-west path is blocked.
  • VM reachable: The VM reports boot complete and responds through the tenant bastion path.

Expected result

The lab reaches Healthy state for SIEM receiving logs, Firewall rules active, VM reachable.

Reset policy: Student can reset to the last clean snapshot; instructor can force reset from admin view. Teardown policy: Automatic teardown at TTL expiry with manual instructor override for cohorts.