Forum Discussion
Silver IINeed help: Endace: Ep.3 – Elastic Integration Scenario
Hay Steven! Hope you're well. I've had a quick run through the lab and to your points above:
1. I was able to find the named pipe, but not in Elastic. The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.2. I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue. I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.
Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems. I was able to complete the lab however.
Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot.
UPDATE: With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave? We will continue to look at this and see if we can make any improvements.
ImmerserHay Steven! Hope you're well. I've had a quick run through the lab and to your points above:
1. I was able to find the named pipe, but not in Elastic. The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.
2. I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue. I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.
Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems. I was able to complete the lab however.
Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot.
UPDATE: With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave? We will continue to look at this and see if we can make any improvements.
- steven
Thats interesting. I've started the lab today again, and just let it run for 15min (2 coffees) and the magically: file extraction (via send) showed the first time a file (never did before) and with the right smb filter in wireshark it was visible too (I'm pretty sure it wasn't before).
and I didn't put any filter before, I was always watching all packets in wireshark.
strange... /me gets always confused about such behaviour. anyway, lab closed. thanks RobReeves!
- Bluesman
Bronze III
I'd have to check my notes, but I think I completed this Lab, or at least many of the answers, by directly analyzing Wireshark packets. And there are quite a few!: yes, I've had *many* labs and *many* hours analyzing packets behind me; I've just gotten used to it :).
And I think my eyesight is suffering for it ... ;)
