Forum Discussion

steven's avatar
steven
Icon for Silver I rankSilver I
2 months ago
Solved

Need help: Endace: Ep.3 – Elastic Integration Scenario

I stumbled upon this lab after my holidays and I was able to solve all questions except:   So far I was able to follow the path from the first user, over to the second user and the service inst...
help & support
immersive labs
  • RobReeves's avatar
    RobReeves
    2 months ago

    Hay Steven!  Hope you're well.  I've had a quick run through the lab and to your points above:

    1.  I was able to find the named pipe, but not in Elastic.  The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.

    2.  I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue.  I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.  

    Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems.  I was able to complete the lab however.

    Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot. 

    UPDATE:  With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave?  We will continue to look at this and see if we can make any improvements.

RobReeves's avatar
RobReeves
Icon for Immerser rankImmerser
2 months ago

Hay Steven!  Hope you're well.  I've had a quick run through the lab and to your points above:

1.  I was able to find the named pipe, but not in Elastic.  The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.

2.  I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue.  I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.  

Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems.  I was able to complete the lab however.

Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot. 

UPDATE:  With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave?  We will continue to look at this and see if we can make any improvements.

steven's avatar
steven
Icon for Silver I rankSilver I
2 months ago

Thats interesting. I've started the lab today again, and just let it run for 15min (2 coffees) and the magically: file extraction (via send) showed the first time a file (never did before) and with the right smb filter in wireshark it was visible too (I'm pretty sure it wasn't before). 

and I didn't put any filter before, I was always watching all packets in wireshark.

strange... /me gets always confused about such behaviour. anyway, lab closed. thanks RobReeves

  • Bluesman's avatar
    Bluesman
    Icon for Bronze II rankBronze II
    2 months ago

    I'd have to check my notes, but I think I completed this Lab, or at least many of the answers, by directly analyzing Wireshark packets. And there are quite a few!: yes, I've had *many* labs and *many* hours analyzing packets behind me; I've just gotten used to it :).

    And I think my eyesight is suffering for it ... ;)