Hi @VarisaraV ,

Creating a realistic threat detection and response demo in the TISC workspace requires simulating threat events rather than launching actual attacks. The safest approach is manual simulation: define a threat scenario (e.g., malware infection) and create mock indicators like CIs (e.g., infected servers) and events (e.g., "Malicious file detected"). Populate the TISC workspace with these simulated elements. For a more advanced (but use with extreme caution and only in non-production) approach, scripting can automate event and CI creation. A scheduled job could generate mock malware detection events, as shown in this example:

var grEvent = new GlideRecord('em_event');
grEvent.initialize();
grEvent.name = 'Malware Detected';
grEvent.description = 'Malicious software detected on server SRV001';
grEvent.source = 'Antivirus System';
grEvent.severity = 3; 
grEvent.ci = 'YOUR_MOCK_SERVER_SYS_ID'; // Replace with a mock server CI's sys_id
grEvent.insert();

var grIncident = new GlideRecord('incident');
grIncident.initialize();
grIncident.short_description = 'Possible Malware Infection on SRV001';
grIncident.description = 'Antivirus software reported malware on server SRV001. Investigating.';
grIncident.cmdb_ci = 'YOUR_MOCK_SERVER_SYS_ID';
grIncident.category = 'Security';
grIncident.insert();

Remember to replace 'YOUR_MOCK_SERVER_SYS_ID' with the actual sys_id of a mock CI. Integrating demo threat intelligence feeds can add realism. Focus your demo on how TISC detects, investigates, and responds to these simulated threats, including any automated playbooks. Crucially, perform all simulations in a non-production instance to avoid any risk to your live system. Document the simulated scenario and steps taken.