Error in lab in SVMs Behavior Detection
Ref: /v2/labs/fundamental-ai-algorithms-ep-7-svms-behavior-detection/category/ai/series/fundamental-ai-algorithms In Cell-2 of the lab, I used the code below: # connect to elasticsearch using the username python and password pythonisawesome #es = Elasticsearch( 'ELASTICSEARCH_URI', basic_auth=( 'USERNAME', 'PASSWORD' ) ) #es = Elasticsearch( 'http://elasticsearch:9200', basic_auth=( 'python', 'pythonisawesome' ) ) #es = Elasticsearch( 'http://127.0.0.1:9200', basic_auth=( 'python', 'pythonisawesome' ) ) es = Elasticsearch( 'http://172.17.0.1:9200', basic_auth=( 'python', 'pythonisawesome' ), verify_certs=False, ssl_show_warn=False ) # get the process tree for a process #ptree = getPtree( es, 'PROCESS_COMMANDLINE_FOR_INITIAL_PROCESS' ) ptree = getPtree( es, '"C:\\Users\\Administrator\\Downloads\\python-3.10.4-amd64.exe"' ) While running, I got the following error: --------------------------------------------------------------------------- ConnectionError Traceback (most recent call last) <ipython-input-18-724dfb6e6522> in <module> 107 # get the process tree for a process 108 #ptree = getPtree( es, 'PROCESS_COMMANDLINE_FOR_INITIAL_PROCESS' ) --> 109 ptree = getPtree( es, '"C:\\Users\\Administrator\\Downloads\\python-3.10.4-amd64.exe"' ) 110 111 # graph the structure of the process tree <ipython-input-9-ceca3d8599dc> in getPtree(elasticsearch, initial_process) 101 102 # get the initial process id from its commandline --> 103 initial_pid = getProcessFromCmdline( elasticsearch, initial_process ) 104 if initial_pid == None: 105 return <ipython-input-9-ceca3d8599dc> in getProcessFromCmdline(elasticsearch, process) 31 # set it return the process entity id as the unique ID and the commandline and run the query 32 fields = [ 'process.entity_id', 'process.command_line' ] ---> 33 results = esSearch( elasticsearch, query, fields ) 34 35 # check it only returned one value <ipython-input-9-ceca3d8599dc> in esSearch(elasticsearch, fields_values, fields) 18 19 # query elasticsearch specifying what fields you want it to return ---> 20 response = elasticsearch.search( index = 'winlogbeat-*', size='10000', query=query, fields=fields ) 21 22 # return the query hits /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/utils.py in wrapped(*args, **kwargs) 412 pass 413 --> 414 return api(*args, **kwargs) 415 416 return wrapped # type: ignore[return-value] /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/__init__.py in search(self, index, aggregations, aggs, allow_no_indices, allow_partial_search_results, analyze_wildcard, analyzer, batched_reduce_size, ccs_minimize_roundtrips, collapse, default_operator, df, docvalue_fields, error_trace, expand_wildcards, explain, fields, filter_path, from_, highlight, human, ignore_throttled, ignore_unavailable, indices_boost, lenient, max_concurrent_shard_requests, min_compatible_shard_node, min_score, pit, post_filter, pre_filter_shard_size, preference, pretty, profile, q, query, request_cache, rescore, rest_total_hits_as_int, routing, runtime_mappings, script_fields, scroll, search_after, search_type, seq_no_primary_term, size, slice, sort, source, source_excludes, source_includes, stats, stored_fields, suggest, suggest_field, suggest_mode, suggest_size, suggest_text, terminate_after, timeout, track_scores, track_total_hits, typed_keys, version) 3745 if __body is not None: 3746 __headers["content-type"] = "application/json" -> 3747 return self.perform_request( # type: ignore[return-value] 3748 "POST", __path, params=__query, headers=__headers, body=__body 3749 ) /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/_base.py in perform_request(self, method, path, params, headers, body) 284 target = path 285 --> 286 meta, resp_body = self.transport.perform_request( 287 method, 288 target, /usr/local/lib/python3.8/dist-packages/elastic_transport/_transport.py in perform_request(self, method, target, body, headers, max_retries, retry_on_status, retry_on_timeout, request_timeout, client_meta) 327 start_time = time.time() 328 try: --> 329 meta, raw_data = node.perform_request( 330 method, 331 target, /usr/local/lib/python3.8/dist-packages/elastic_transport/_node/_http_urllib3.py in perform_request(self, method, target, body, headers, request_timeout) 197 exception=err, 198 ) --> 199 raise err from None 200 201 meta = ApiResponseMeta( ConnectionError: Connection error caused by: ConnectionError(Connection error caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f4e74162700>: Failed to establish a new connection: [Errno 111] Connection refused))
Malicious Document Analysis: Dropper Analysis
I need help with this lab. going through the Malicious document analysis section of the Incident response badge. it goes from "use olevba" to analyse documents to wanting you to edit python script to manually de-obfuscate files. there’s no guidance on doing this within the lab and the lab doesn’t refer you to anywhere else you can learn/ get information that will help with this lab. i don’t want the answers or my hand holding, but a pointer in the right direction within the lab would be nice. is there any other labs people recommend that may help prepare me for this one?
Healthcare Compliance
I keep getting an in correct response when answering a question on the Healthcare Compliance Lab. The HIPAA Framework. Question is Your hospital hires an IT consultant to audit your network security. Before giving them access to patient data, what must you do? My response is Have them sign a business associate agreement but its wrong any ideas what the correct response is to this question?
Microsoft Sentinel SOAR: Demonstrate Your Skills
I am currently working on the Microsoft Sentinel SOAR lab, which involves the use of logic app for automation. From task 4 of the lab, which requires me to do the below and the lab will automatically detect when I complete the task but this hasn't been marking it as complete for me; Has anyone experienced similar issue because I am certain my logic app designer is correct and the run history has been successful ? Attached are screenshots
APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10
In relation towards the question : A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this? I am pretty lost and where I should be looking for, as searching for the zipped file activities did not bring up any notable powershell scripts I also tried inputting: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 as well which did not workThreat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 7
In relation to What is the device that tcpdump is dumping packets from? For some reason win-host-1.asgard.corp and win-host-1 does not work and NPF_{B1ADE8FD-CC9A-4857-9C50-28078779F038}, I am wondering babout what I am doing wrong in terms of approaching this question, and How I should be redirecting my attention instead. 10.10.10.30 does not work as wellEthereum: The Blockchain, Transactions, and Explorers
Hi All, I am super stuck on question 9' After completing the previous question, a certain number of ETH was sent to your wallet. Using the blockchain explorer, what is the address that sent you this ETH?' I have input the labs wallet ID into the block explorer but I cant see any transactions to trace where the ETH has come from. Am I being stupid or is something not working?
Microsoft Sentinel SOAR: Demonstrate Your Skills
I have tried to complete the Microsoft Sentinel SOAR lab. I saw the following information, which is limiting my access. I am unable to complete any task that involves role assignment. I was able to complete every other task in the lab that does not involve role assignment. The lab was assigned to me as part of my assessment, but my license won't permit me to complete it. Has anyone encountered this error, and how did you resolve it?Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 3
For the question There is a .bat file that is executed on the victim machine. What is the file path of the .bat file?, for some reason I cant pick up any strings in general with that pattern. I am wondering if I should be parsing for something else such as a .zip, but event then. the "bat" keyword should have been picked up I believeThreat Actors: Mint Sandstorm – Campaign Analysis - Question 9
In relation to the What named local variable holds the IP address from the for loop? I have been checking out the local varaibles but as per the for loop none of the variables typed in were correct. I am basically lost if none of the local variables observed in the for loop was observed to be the answer. I am wondering about what direction I should take in terms of digging deepering into how the IP is stored where even the variable ServIp was showcased to be incorrect and wsaData. <-- leveraged Gemini for aid in parsing and understanding of the compiled code for ease of understanding and if there was anything I missed from the code, that may hint at a more indirect variable as well
