I skipped Task 2 because I can’t seem to get the right answer. I filtered for the IP of the TA and sorted by time and got the first object that was accessed and somehow the answer is not right. I may be doing something wrong any tips?

I was stuck here too. The AccountID you’re using may be wrong. There’s another AccountID in the event. The question’s wording makes it confusing. Make sure to include the file’s extension and that you don’t have leading or tailing spaces in your answer.

Is there another AccountID? I can’t seem to find the other account as the SIEM (ELK) that I’m using is only showing one AccountID.

I switched from ELK to Splunk but I’m still kinda stuck at Task 2 and Task 12 any hints for these two? I’m not sure if Task 12 is related to Task 11 since I don’t see any logs to the user in Task 11 or am I missing logs?

There is a recipientAccountID and an AccountID under userIdentity. I was mistaking one for the other. It sounds like you may be using the right one. If that is not where you are wrong, make sure you are looking at the very first instance of an event that is accessing a file. Remember splunk an ELK will show the last events at the top, so you may need to go back. If you want to, send me your answer for task 2 to better understand what trouble you may be having.

As for question 12, I am still working on it. It’s also a bit ambiguous.

Great Sherlock!

For task 12 you should focus on the user who reported the issue. I hope this hint helps.

Thanks! the hint definitely helped me. I was looking at the question with the wrong angle.

@Valtzz if you are still working on task 12 you can message me if you need more hints.

I was right the whole time, just needed to answer with the proper string. I thought it would match the format shown on the question. Thanks for the tip @n4xh0, it certainly helped me get the right answer. And thanks for offering to help @noobsuperuser! We did it !