Incident Response Introduction to Detection Engineering: Ep.5 – Custom Alerting

Task 3 - 

Use your knowledge from the previous labs to write a real-time detection for lateral movement.

No changes need to be made to cell one of the notebook.

In cell two, there are several placeholders that you will need to modify, they are:

• LOOK_BACK_MINUTES: set this to 240
• INSERT_JSON_QUERY: queries you use to find instances of lateral movement
• VARIABLE1/2: used for extracting information from your query results
• WAIT_TIME_SECONDS: how long the program should sleep before checking for new events

Once you have detected all lateral movement occurrences, this task will be completed, and a token will be written to the custom_alert_index.

Then click on Discover in the Analytics section. On the data view dropdown, select lab. For the lookback time, use four hours (240 minutes).

Note: It may take a couple of minutes for the token to appear in the index.

I'm struggling with the python that it's been taking too long to create a custom_alert_index to autimatically complete it. it's in Task 3 and I need the good code for the task to be completed and the token as well.