Bronze IIMy team and I have been encountering a few peculiar issues with the Microsoft Azure Sentinel based labs (KQL, Sentinel Blue Team Ops, Sentinel SOAR, etc.) where correct answers do not appear to be getting accepted. My team and I have even gone back to try solving previously completed labs and found that the answers/methods used to solve the labs do not seem to work.
Have there been any issues/problems identified/reported with this style of lab?
Community ManagerHi FF thanks for reaching out, let me direct your question to the relevant team and come back to you.
Bronze IINewbie mistake - I've just realized I've posted this into the wrong forum - should be in the general community side, not Cyber Million! I don't think there's a way I can move the question to the Community section - can reopen question if need be.
ImmerserHey FF
Nice to meet you! I'm Matt Parven, I helped build some of these labs.
Could you let me know which labs specifically and I can take a look. For reference, Our labs use "Dynamic questions" which means the actual answer updates every time you launch the lab. For example, sometimes we might say "What date did X happen in D/M/Y" and because our labs use live events, the date will change in the answer when the attack runs. This is true for lots of our questions, so if you find an answer isn't being accepted in a previously completed lab, that is why.
Bronze IIHi Matt,
Thanks for the response - yep we've ruled that out, mostly we've found that the methodology is the same, but the results will vary.
In these instances, we've had results of fairly simple queries that don't seem to match up to the answer in the lab, sometimes off-by-1, sometimes exactly half/double the expected number, and in other instances we've got absolutely no idea what the correct answer could be. For a lot of the harder questions, I'd usually pass this off as user error and tell them to keep trying, but we've had issues on questions as simple as using Summarize to count the number of results of a what I'd consider to be a simple query.
I'll touch base with the team and see if any of them can give me specific/evidenced instances of this happening.
Cheers!
James
ImmerserInteresting! Thanks for the info, James.
If you let me know the specific labs I will make sure the team look into it and revert back here when I know more :)
Matt
