Forum Discussion

Bronze III

25 days ago

Solved

Elastic Data Ingest: Ep.1 – Auditbeat

Hello,

I'm stuck on Q11 of this lab and would greatly appreciate some help, please. I'm a little confused as to how to go about answering the question? If I use the filter for - Processhash.sha1 IS 4, I get 0 which is incorrect.

help & support

neeemu
22 days ago
You're provided the Process PID in the tasks so searching for that returns event for that process. Expanding that event will show further details, one of which is the SHA1 hash.

3 Replies

neeemu
Bronze III
25 days ago
When you identify the process from the Process Events [Auditbeat System] ECS dashboard at the bottom, expanding by clicking the 2 way arrow symbol will allow you to search for the SHA1 value for that process.
- Dark_Knight666
  Bronze III
  22 days ago
  neeemu - Thank you for commenting. But I guess my question now is how did you identify the first 4 characters of the process sha1 hash? A little stuck on this part.
  - neeemu
    Bronze III
    22 days ago
    You're provided the Process PID in the tasks so searching for that returns event for that process. Expanding that event will show further details, one of which is the SHA1 hash.

Forum Discussion

Elastic Data Ingest: Ep.1 – Auditbeat

3 Replies

Featured Places

Help & Support Forum

Related Content

Elastic Data Ingest: Ep.2 – Filebeat

Elastic Data Ingest: Ep.5 – Packetbeat

Introduction To Elastic: Ep.9 – ES|QL

Need help: Endace: Ep.3 – Elastic Integration Scenario

Microsoft Sentinel Deployment & Log Ingestion: Ingesting Platform Logs via Diagnostic Settings

Recent Discussions

Help with Cross Site Request Forgery (Twooter)

Immersive GUI

Privilege Escalation: Windows – Unquoted Service Paths

TLS Fundamentals: Ep.8 – Final Challenge

Elastic Data Ingest: Ep.5 – Packetbeat