Module 7-LAB1: Exercise 3, Exercise 7, Exercise 8, Exercise 9, Exercise 11 and Module 8 - Lab 1 - Exercise 1

[suraj-only-git]

Contact Details

No response

What happened?

Mod 7 - Lab 1 Exercise : 03 Task: 01 Step: 04

Description of issue: New CloudShell User analytics rule in rule templates is not present because of which we are not able to setup the scheduled query

Mod 7 - Lab 1 Exercise : 07 Task: 01 Step: 04

Description of issue: Startup.bat file is not present or it is missing running the query in sentinel logs not getting the expected output

Mod 7 - Lab 1 Exercise : 08 Task: 01 Step: 04

Description of issue: Unable to find the Startup RegKey Alerts because in Exercise 7 Step 7 the query results no output even after waiting for a long time

Mod 7 - Lab 1 Exercise : 09 Task: 01 Step: 20

Description of issue: getting an error after running the query for function imRegistry error as : load function query using KQL throwing errors in log analytics like ['table' operator: Failed to resolve table expression named 'starttime']

Mod 7 - Lab 1 Exercise : 11 Task: 01 Step: 04

Description of issue: Unable to find the Startup RegKey Alerts because in Exercise 7 Step 7 the query results no output even after waiting for a long time

Mod 8 - Lab 1 Exercise : 1 Task: 01 Step: 04

Description of issue: not getting the expected output Schema for to leverage hunting as guided in the guide.

Lab

Other

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• [ ] Create a Pull Requestt by following this project's Contribution Guide

[djcmct]

Think I can help you with these

Mod 7 - Lab 1 Exercise : 03 New CloudShell User template is installed as part of the Azure Activity Solution - Mod 6 lab1 Ex 1 task 3 steps 1 - 4

So then will be available in Analytic Rule Templates

Mod 7 - Lab 1 Exercise : 07 The attack conducted Mod7 Lab 1 Ex 6 Task 1 doesn't create a File, it creates a Registry key to simulate the attack

Mod 7 - Lab 1 Exercise : 08 Alert should fire based on creation of analytic rule Mod 7 Lab 1 Ex 7 Task 1

Are you receiving the result above when running the final KQL query of that task? If not check that WINSERVER is reported as being Connected and Monitoring extension Installed in Azure Arc

And that the Windows Security Events connector is receiving data, are you getting any logs from WINSERVER? If you are receiving the result from the final KQL query then check the configuration of the analytic rule, it should fire the alerts

Mod 7 - Lab 1 Exercise : 09 I get the same, I generally get people to use the Use in editor option to run the parser in step 23 rather than from the code.

Mod 7 - Lab 1 Exercise : 11 If you can resolve the earlier issues with the Startup Regkey alerts then this will be available to complete

Mod 8 - Lab 1 Exercise : 1 This should generate logs based on the attack Mod 7 Lab 1 Ex 6 Task 3 and should result in this

This will be the same problem thats stopping logs related to the Startup Reg key incident, so if you can resolve that, then this should just work too.

Hope this helps

[KenMAG]

It sounds like this is resolved. Thanks @djcmct, I am closing.