Forum Discussion

ColeS's avatar
ColeS
Icon for Bronze II rankBronze II
28 days ago

Threat Research: Cobalt Strike C2 – SIEM Analysis - Question 4

Hello,

I'm trying to solve Question 4 of the "Threat Research: Cobalt Strike C2 – SIEM Analysis" lab, I've solved every other question EXCEPT that one. 

"What's the earliest @timestamp for the returned results? (Provide your answer in the format HH:MM:SS)"

I believe I've found the event since I answered question 5, but every format in which I put the timestamp seems to be wrong. The question implies to just put in hh:mm:ss, but that doesn't work. Putting in the fill @timestamp value doesn't work either. Is it a bug or just me?

Any help appreciated, thanks!

help & support
  • ColeS's avatar
    ColeS
    24 days ago

    Hey folks, I consulted with a colleague who finished the lab and got the answer with their advice. Format of the answer is HH.MM.SS (periods instead of colons), and they used event.created field instead of @timestamp. Also gotta check timezones ;)

    The wording of the question is a bit misleading here, may want to address that?

  • ColeS's avatar
    ColeS
    Icon for Bronze II rankBronze II
    24 days ago

    Hey folks, I consulted with a colleague who finished the lab and got the answer with their advice. Format of the answer is HH.MM.SS (periods instead of colons), and they used event.created field instead of @timestamp. Also gotta check timezones ;)

    The wording of the question is a bit misleading here, may want to address that?

    • BenMcCarthy's avatar
      BenMcCarthy
      Icon for Immerser rankImmerser
      24 days ago

      Hi ColeS,

      Thank you for sending your feedback! We have updated the task to ask for the event, created just as you pointed out! I have also chatted with the QA teams to ensure we are triple-checking for this type of error! I hope you enjoyed the lab, though :) 

    • CyberSharpe's avatar
      CyberSharpe
      Icon for Bronze III rankBronze III
      23 days ago

      Had the same issue. HH.MM.SS I was going insane with it. However once I did the . . . . it auto adjusted my time to an hour before UTC time.

  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager
    28 days ago

    Hi ColeS 

    Thanks for the question and sharing where you think you might need some assistance. Let me speak to the lab author and get back to you, unless any member of the community has completed this lab and can offer some advice in the meantime!

  • z00peckteaball's avatar
    z00peckteaball
    Icon for Bronze I rankBronze I
    26 days ago

    hi ColeS , I am stucked on this question too. I tried all the dates too but still failing. I changed the formatting of date to HH:MM:SS of @timestamp but still fails.

  • ChrisKershaw's avatar
    ChrisKershaw
    Icon for Community Support rankCommunity Support
    25 days ago

    Hey ColeS & z00peckteaball 

    I think I can help here! 

    Once you've entered the required query from Task 3 into the search bar in Elastic, make sure to change the 'event.created' field in the results to 'Sort Old-New'. The first result, when it refreshes, should give you the answer you need to complete Task 4 👍🏻.

    I hope this helps you both 😊