SIEM & SOC fundamentals help

HTB Content Academy
1

I am currently in the module “SIEM Visualization Example 4: Users added or removed from a local group (within a specific time period)” and I need to have the following configuration in elastic. The problem is that I’m not getting any results and I think the settings are fine. Could someone correct me?

My conf:

filters: “event.code: is one of 4732, 4733” “group.name: administrators”
rows: username.keyword / winglog.event_data.MemberSid.keyword / group.name.keyword / event.action.keyword / host.name.keyword

PS: I can’t post images of the configuration because I am a new user on the forum.

2

image
image1920×522 124 KB

My configuration:

3

SOLVED :smiley:

4

how did you manage to tackle this problem since I am having the same error

5

When you start the objective, if you notice, the dashboard is already created.

You just have to look at the date that is established and enter it in the format they request. :wink:

1 Like
6

thank you for getting back to me with an answer, you rock brother !

8

The funny thing is the right answer in the second line of the section :wink:

9

Hello sir
I have tried to enter the time format accordingly but after I input the answer is not correct.
can you help?

image
image971×292 50.8 KB

thanks

10

Hello sirr
I have tried to enter the time format accordingly but after I input the answer is not correct.
can you help?

image
image971×292 50.8 KB

Thank youu

11

Hello sir
I have tried to enter the time format accordingly but after I input the answer is not correct.
can you help?

image
image971×292 50.8 KB

12

verify the Timestamp interval. It should be 1 days and you ll get the right date.

BEst regards

3 Likes
13

Thank you, I was stuck on this for a while because it defaulted to ‘per week’. Changing this to ‘per day’ fixed it, and the answer was the same whether I used ‘event.created per day’ or ‘@timestamp per day’.

1 Like
14

Make sure the filter is entered correctly:
Field: event.code
Operator: is one of
Values: 4732 (and separately) 4733 - they should show in different boxes, each with a ‘X’ next to them

15

some times the answer is really simple.
don’t forget we are actually already changing the time range at the end of this section. Considering that you will get the answer.

16

Where I went wrong. I wrote “4732, 4733”.

Yes the two values separated into two boxes. However the error still occurred.

To fix this, I tried again but inputting one value at a time. “4732” followed by the Enter key.

Do the same with the next value and all should be good :slight_smile:

17

Not sure why, but for myself, even after changing the interval. The date always remained as 2023-03-06.

I spent quite a while looking around to see where I had gone wrong, but nothing changed. I ended up doing 05 instead of 06 and it went through.

Just wish I knew where the mistake was, or if mine was bugged (Highly doubt).