5G Security Operations — SOC for 5G Core Networks · Pro

Lab: Responding to an AMF compromise

Lab Scenario: AMF Compromise Response

You are on call as a SOC analyst at a Tier-1 operator. At 02:14, a SIEM alert fires: AMF instance amf-prod-04 is making SBI calls to UDM for subscriber data fetches in patterns inconsistent with normal AMF behavior. The volume is moderate (50 fetches per hour, not aggressive), but the patterns suggest enumeration rather than legitimate registration. You will walk through the full IR cycle: identify, contain, eradicate, recover, lessons-learned.

Continue reading with Pro

Your free trial has ended. Subscribe to unlock the full lesson plus all 32 advanced levels, 900 lessons, labs, and 17 TELCOMA certification exams.

$19/month or $199/year·7-day money-back guarantee·Cancel anytime