Operation Qasbah

On April 14, 2025, national holiday, e-Maghrib e-government portal WAF logs show an unusual spike in 403 errors. By 03:15, the same IP successfully authenticates to the admin panel. By 04:30, internal DNS logs reveal queries to UNC-7913 infrastructure domains. 12 million citizen records at risk. SOC coverage reduced to 3 analysts instead of 8. The Threat Analysis Division is activated. 21 missions across 8 infrastructure zones - from DMZ-Web to SOC-Hub. Correlate JSON logs, syslog, Windows EVTX, and DNS records. Reconstruct the intrusion timeline before the adversary exfiltrates the data.