Need help: Endace: Ep.3 – Elastic Integration Scenario

Hay Steven!  Hope you're well.  I've had a quick run through the lab and to your points above:

1.  I was able to find the named pipe, but not in Elastic.  The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.

2.  I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue.  I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.  

Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems.  I was able to complete the lab however.

Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot. 

UPDATE:  With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave?  We will continue to look at this and see if we can make any improvements.