Forum Discussion
Silver IINeed help: Endace: Ep.3 – Elastic Integration Scenario
Hay Steven! Hope you're well. I've had a quick run through the lab and to your points above:
1. I was able to find the named pipe, but not in Elastic. The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.2. I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue. I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.
Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems. I was able to complete the lab however.
Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot.
UPDATE: With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave? We will continue to look at this and see if we can make any improvements.
ImmerserHay Steven! Hope you're well. I've had a quick run through the lab and to your points above:
1. I was able to find the named pipe, but not in Elastic. The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.
2. I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue. I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.
Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems. I was able to complete the lab however.
Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot.
UPDATE: With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave? We will continue to look at this and see if we can make any improvements.
Silver IIThats interesting. I've started the lab today again, and just let it run for 15min (2 coffees) and the magically: file extraction (via send) showed the first time a file (never did before) and with the right smb filter in wireshark it was visible too (I'm pretty sure it wasn't before).
and I didn't put any filter before, I was always watching all packets in wireshark.
strange... /me gets always confused about such behaviour. anyway, lab closed. thanks RobReeves!
- Bluesman
Bronze III
I'd have to check my notes, but I think I completed this Lab, or at least many of the answers, by directly analyzing Wireshark packets. And there are quite a few!: yes, I've had *many* labs and *many* hours analyzing packets behind me; I've just gotten used to it :).
And I think my eyesight is suffering for it ... ;)
