Closed suraj-only-git closed 4 months ago
Think I can help you with these
Mod 7 - Lab 1 Exercise : 03 New CloudShell User template is installed as part of the Azure Activity Solution - Mod 6 lab1 Ex 1 task 3 steps 1 - 4
So then will be available in Analytic Rule Templates
Mod 7 - Lab 1 Exercise : 07 The attack conducted Mod7 Lab 1 Ex 6 Task 1 doesn't create a File, it creates a Registry key to simulate the attack
Mod 7 - Lab 1 Exercise : 08 Alert should fire based on creation of analytic rule Mod 7 Lab 1 Ex 7 Task 1
Are you receiving the result above when running the final KQL query of that task? If not check that WINSERVER is reported as being Connected and Monitoring extension Installed in Azure Arc
And that the Windows Security Events connector is receiving data, are you getting any logs from WINSERVER? If you are receiving the result from the final KQL query then check the configuration of the analytic rule, it should fire the alerts
Mod 7 - Lab 1 Exercise : 09 I get the same, I generally get people to use the Use in editor option to run the parser in step 23 rather than from the code.
Mod 7 - Lab 1 Exercise : 11 If you can resolve the earlier issues with the Startup Regkey alerts then this will be available to complete
Mod 8 - Lab 1 Exercise : 1 This should generate logs based on the attack Mod 7 Lab 1 Ex 6 Task 3 and should result in this
This will be the same problem thats stopping logs related to the Startup Reg key incident, so if you can resolve that, then this should just work too.
Hope this helps
It sounds like this is resolved. Thanks @djcmct, I am closing.
Contact Details
No response
What happened?
Mod 7 - Lab 1 Exercise : 03 Task: 01 Step: 04
Description of issue: New CloudShell User analytics rule in rule templates is not present because of which we are not able to setup the scheduled query
Mod 7 - Lab 1 Exercise : 07 Task: 01 Step: 04
Description of issue: Startup.bat file is not present or it is missing running the query in sentinel logs not getting the expected output
Mod 7 - Lab 1 Exercise : 08 Task: 01 Step: 04
Description of issue: Unable to find the Startup RegKey Alerts because in Exercise 7 Step 7 the query results no output even after waiting for a long time
Mod 7 - Lab 1 Exercise : 09 Task: 01 Step: 20
Description of issue: getting an error after running the query for function imRegistry error as : load function query using KQL throwing errors in log analytics like ['table' operator: Failed to resolve table expression named 'starttime']
Mod 7 - Lab 1 Exercise : 11 Task: 01 Step: 04
Description of issue: Unable to find the Startup RegKey Alerts because in Exercise 7 Step 7 the query results no output even after waiting for a long time
Mod 8 - Lab 1 Exercise : 1 Task: 01 Step: 04
Description of issue: not getting the expected output Schema for to leverage hunting as guided in the guide.
Lab
Other
Relevant screenshots
paste here 😉
Do you want to help us? 👏