Wizard Spider DFIR: Ep.9 – Sigma

Question

The question I'm stuck on is :&nbsp; Modify the rule file "file_event_win_macro_file.yml" to also include ".docm" file types. Convert this rule using Sigmac and use the output within Elastic. How many potentially malicious Microsoft Word files are discovered?&nbsp;I have done everything modified the rule and&nbsp; I have converted this rule using sigmac and have this output file.name.keyword:(*.dotm OR *.xlsm OR *.xltm OR *.potm OR *.pptm OR *.pptx OR *.docm)&nbsp;but I just cannot find elastic anywhere to use the output within elastic ? its not in the notes as a link, its not an app. ive even tried putting in the port number and ip address to get it up and that not working has anyone else completed this and no how to open elastic I feel like this should be the easy bit. Please help even Chatgpt has given up.&nbsp;

neeemu · Answer

Hi gilly32​ , there's another window for Elasticsearch, you just need to click that tab at the top of the page. Once you've opened that tab use Analytics &gt; Discover to perform the search.&nbsp;&nbsp;&nbsp;

samdickison · Answer

Hey gilly32​, I know a few people who have completed this lab who might be able to give a help: Carlossus​ GusC​ neeemu​ purplemoon​ CyberSharpe​. Otherwise I'll get one of the team to have a look for you.

Forum Discussion

Wizard Spider DFIR: Ep.9 – Sigma

2 Replies

Featured Places

Help

Related Content

Wizard Spider DFIR: Ep.10 – Demonstrate Your Skills

ImmersiveOne: Scattered Spider Release

tweaks to career paths

Re: Introduction to OWASP ZAP

Re: Terrapoint (Hats off, Immersive Labs)

Recent Discussions

SOC Analyst – Advanced / Malware Analysis / CookieMiner

Jinja2 Pen test

Introduction to Microsoft Sentinel - Error

Infrastructure Hacking: Demonstrate Your Skills – Attacking Web Servers

PowerShell Basics: Demonstrate Your Skills