FF
Bronze II
Bronze IISentinel Labs
My team and I have been encountering a few peculiar issues with the Microsoft Azure Sentinel based labs (KQL, Sentinel Blue Team Ops, Sentinel SOAR, etc.) where correct answers do not appear to be ge...
Forum Discussion
MattParven
Immerser
ImmerserHey FF
Nice to meet you! I'm Matt Parven, I helped build some of these labs.
Could you let me know which labs specifically and I can take a look. For reference, Our labs use "Dynamic questions" which means the actual answer updates every time you launch the lab. For example, sometimes we might say "What date did X happen in D/M/Y" and because our labs use live events, the date will change in the answer when the attack runs. This is true for lots of our questions, so if you find an answer isn't being accepted in a previously completed lab, that is why.
FFBronze II
Bronze IIHi Matt,
Thanks for the response - yep we've ruled that out, mostly we've found that the methodology is the same, but the results will vary.
In these instances, we've had results of fairly simple queries that don't seem to match up to the answer in the lab, sometimes off-by-1, sometimes exactly half/double the expected number, and in other instances we've got absolutely no idea what the correct answer could be. For a lot of the harder questions, I'd usually pass this off as user error and tell them to keep trying, but we've had issues on questions as simple as using Summarize to count the number of results of a what I'd consider to be a simple query.
I'll touch base with the team and see if any of them can give me specific/evidenced instances of this happening.
Cheers!
James
- MattParven
Interesting! Thanks for the info, James.
If you let me know the specific labs I will make sure the team look into it and revert back here when I know more :)
Matt
