Course: Elastic Security for SIEM (On-Demand): Lab 5.1
Version: --
Question:
In Module 5, the guide lists the following labs:
- Lab 5.1: Lens Visualizations - Create a Visualization
- Lab 5.2: Lens Visualizations - Data Table
- Lab 5.3: Lens Visualizations - Multi-Layer Date Histogram
However, only the CTF challenge for Lab 5.3 appears to be available. In the first challenge of CTF 5.3, the following question is asked:
1 – Destination port
Using the visualization built in Lab 5.1, find the IP address with the highest count of records.
What destination port is used for most of its connections?
When I use the full timestamp range ("Day 0 to Now"), the destination port with the highest record count for the top IP address does not seem to be accepted as the correct answer. Because of this, I’m starting to believe that the challenge relies on a prerequisite visualization or specific configuration from Lab 5.1 that is not currently available, which may be leading me to an incorrect result.
If that’s not the case and I’m missing something else, I kindly ask for your assistance with this challenge, as I’ve tried several approaches but haven’t been able to move forward.
Hello,
The "5.3 - Lens" questions use the visualizations from labs 5.1, 5.2 and 5.3. Question 5.3-1 uses the visualization you made in lab 5.1. The issue seems to be your time range. If you select "Day-0" from the drop down and make no other changes to the timepicker, you should get the correct answer. By setting your time range to "Day 0 to Now", you have inadvertently included data for all the labs and capstone. The "Day-0" time range is Aug 1, 2018 @ 00:00:00 through Aug 1, 2018 @ 23:59:59 if you would like to double check it or set it manually.
Hey, thanks for you answer.
With the timestamp you said here, i got it done now. But as I said in my post, it doesn't show any 5.1 or 5.2 previous lab. So by saying that, i couldn't know i needed the timestamp to be set at Day 0.
And now in 5.3-2, the first time I get asked two questions at the same time (IP and Port counts), I don't get an answer format to properly answer the question.
The labs themselves mention selecting "Day-0", but I agree that it should be stated in the question as well.
For 5.3-2, it wants a singular count. Looking at the same visualization you used for question 5.3-1, when you hover your mouse cursor over the bar for the top IP, it will show you a count for each destination port that IP address sent traffic to. The count of the highest one is your answer.
In the case of my example screenshot below, the answer for Q5.3-1 would be port 8096, and the answer for Q5.3-2 would be 20,654.
Note: This is example data that does not correlate to the actual answer in the course.
Again, thank you very much for your support.
I just wanted to share a bit of feedback, atleast of my experience. When the lab mentions things like "Day 0", it’s not entirely clear to the person completing the exercise unless that’s explicitly defined as a key rule and clearly highlighted. Small details like that can end up taking a lot of time. Personally, I don’t recall seeing that mentioned anywhere.
Also, when you mention things like “it wants a singular count,” while that may seem obvious in hindsight, the instructions don’t really make that clear. The answer could reasonably be expected in several different formats, so a task that isn’t inherently difficult ends up feeling more time-consuming due to input formatting that’s a bit ambiguous.
Again, many thanks! And about the 5.3-3
Since I don't know the 5.2 settings, is it "Day 0" aswell? Is there anything different that I should know? I already gave it a try here with my "Day 0" setup told by you and I'm getting incorrect answers.
EDIT: The previous one 5.3-2, got it done with your instructions, forgot to mention that!
