#1 |
Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents before (older) the id GDQOB3IBwJHf9VOW-r0Y?
|
50 |
272
|
|
|
#2 |
Using the "View Surrounding Documents" option, find the IP of the document that is 16 documents after (newer) the id vDQOB3IBwJHf9VOW-Lyd?
|
50 |
274
|
|
|
#3 |
How many requests have come from the IP address 2.49.53.218 between the 6th of May and the 13th of May? (time is in UTC)
|
50 |
297
|
|
|
#4 |
What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC)
|
50 |
245
|
|
|
#5 |
How many 503 errors were there on the 8th of May? (time is in UTC)
|
50 |
285
|
|
|
#6 |
How many connections to the host "www.elastic.co" were made on the 12th of May? (time is in UTC)
|
50 |
274
|
|
|
#7 |
What is the second most common extension of files being accessed on the 12th of May? (time is in UTC)
|
50 |
267
|
|
|
#8 |
Find the first IP address to connect to the host elastic-elastic-elastic.org on the 12th of May. (time is in UTC)
|
50 |
266
|
|
|
#9 |
What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC)
|
50 |
243
|
|
|
#10 |
What's the host machine's hostname?
|
50 |
248
|
|
|
#11 |
Using current data, what version of the stack is running?
|
50 |
252
|
|
|
#12 |
Using current data in the auditbeat index, what is the name of the elasticsearch node? (one word)
|
50 |
200
|
|
|
#13 |
What is the name of the beat to collect windows logs? (one word)
|
50 |
243
|
|
|
#14 |
What is the name of the beat that sends network data? (one word)
|
50 |
238
|
|
|
#15 |
How many fields are in the auditbeat-* index pattern?
|
50 |
221
|
|
|
#16 |
On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC)
|
100 |
219
|
|
|
#17 |
On the 13th and 14th of May, how many bytes were received by the source IP 159.89.203.214 (time is in UTC)
|
100 |
181
|
|
|
#18 |
What username did they crack?
|
100 |
204
|
|
|
#19 |
What host was attacked?
|
100 |
198
|
|
|
#20 |
How many were failed attempts made on the machine?
|
100 |
177
|
|
|
#21 |
What time was the last failed attempted login?
|
100 |
169
|
|
|
#22 |
What time did the attacker successfully login?
|
100 |
170
|
|
|
#23 |
What is the first command the attacker ran on the box?
|
100 |
185
|
|
|
#24 |
What tool did the attacker use to get the exploit onto the machine?
|
100 |
182
|
|
|
#25 |
Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file?
|
100 |
175
|
|
|
#26 |
What is the filename of the exploit that was run?
|
100 |
179
|
|
|
#27 |
What is the first ID of the log that shows the exploit being run?
|
100 |
139
|
|
|
#28 |
What parameter turned the script from testing to exploiting?
|
150 |
164
|
|
|
#29 |
Using filebeat data - What IP was the shell sent to?
|
150 |
166
|
|
|
#30 |
Using filebeat data - After running the exploit, they accessed the /etc/passwd file, what is the ID of the doc that shows this?
|
150 |
132
|
|
|
#31 |
Using filebeat data - We think they created a new user. What was the name of that user?
|
150 |
148
|
|