Incident Response Introduction to Detection Engineering: Ep.5 – Custom Alerting

Question

Task 3 -&nbsp;Note: It may take a couple of minutes for the token to appear in the index.I'm struggling with the python that it's been taking too long to create a custom_alert_index to autimatically complete it. it's in Task 3 and I need the good code for the task to be completed and the token as well.&nbsp;

hussain935 · Answer

In cell two, there are several placeholders that you will need to modify, they are:

LOOK_BACK_MINUTES: set this to 240
INSERT_JSON_QUERY: queries you use to find instances of lateral movement
VARIABLE1/2: used for extracting information from your query results
WAIT_TIME_SECONDS: how long the program should sleep before checking for new events

Once you have detected all lateral movement occurrences, this task will be completed, and a token will be written to the custom_alert_index.

rt · Answer

If you figure this one out, please let me know. I've been stuck on this one for multiple days and no luck. I am able to detect the lateral movements associated with the commands psexec, cmd.exe, and sc. But for some reason I am not getting the token after waiting more than 15 minutes and resetting the lab.&nbsp;

Forum Discussion

Incident Response Introduction to Detection Engineering: Ep.5 – Custom Alerting

2 Replies

Featured Places

Help

Related Content

Introduction to Detection Engineering: Ep.5 – Custom Alerting

Introduction to Detection Engineering: Ep.5 – Custom Alerting

Introduction to Detection Engineering: Ep.3 – Parent Processes - Kibana says no

Reverse Engineering

Systems Manager: Introduction - Question 2

Recent Discussions

Need help in Splunk Lab!

AI Agent Governance: Auditing an Over-Privileged Agent

Help with Cross Site Request Forgery (Twooter)

Lesson 7: Windows File Permissions

Templates do not add systems