| #1 |
Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents before (older) the id GDQOB3IBwJHf9VOW-r0Y?
|
50 |
272
|
|
|
|
| #2 |
Using the "View Surrounding Documents" option, find the IP of the document that is 16 documents after (newer) the id vDQOB3IBwJHf9VOW-Lyd?
|
50 |
274
|
|
|
|
| #3 |
How many requests have come from the IP address 2.49.53.218 between the 6th of May and the 13th of May? (time is in UTC)
|
50 |
297
|
|
|
|
| #4 |
What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC)
|
50 |
245
|
|
|
|
| #5 |
How many 503 errors were there on the 8th of May? (time is in UTC)
|
50 |
285
|
|
|
|
| #6 |
How many connections to the host "www.elastic.co" were made on the 12th of May? (time is in UTC)
|
50 |
274
|
|
|
|
| #7 |
What is the second most common extension of files being accessed on the 12th of May? (time is in UTC)
|
50 |
267
|
|
|
|
| #8 |
Find the first IP address to connect to the host elastic-elastic-elastic.org on the 12th of May. (time is in UTC)
|
50 |
266
|
|
|
|
| #9 |
What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC)
|
50 |
243
|
|
|
|
| #10 |
What's the host machine's hostname?
|
50 |
248
|
|
|
|
| #11 |
Using current data, what version of the stack is running?
|
50 |
252
|
|
|
|
| #12 |
Using current data in the auditbeat index, what is the name of the elasticsearch node? (one word)
|
50 |
200
|
|
|
|
| #13 |
What is the name of the beat to collect windows logs? (one word)
|
50 |
243
|
|
|
|
| #14 |
What is the name of the beat that sends network data? (one word)
|
50 |
238
|
|
|
|
| #15 |
How many fields are in the auditbeat-* index pattern?
|
50 |
221
|
|
|
|
| #16 |
On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC)
|
100 |
219
|
|
|
|
| #17 |
On the 13th and 14th of May, how many bytes were received by the source IP 159.89.203.214 (time is in UTC)
|
100 |
181
|
|
|
|
| #18 |
What username did they crack?
|
100 |
204
|
|
|
|
| #19 |
What host was attacked?
|
100 |
198
|
|
|
|
| #20 |
How many were failed attempts made on the machine?
|
100 |
177
|
|
|
|
| #21 |
What time was the last failed attempted login?
|
100 |
169
|
|
|
|
| #22 |
What time did the attacker successfully login?
|
100 |
170
|
|
|
|
| #23 |
What is the first command the attacker ran on the box?
|
100 |
185
|
|
|
|
| #24 |
What tool did the attacker use to get the exploit onto the machine?
|
100 |
182
|
|
|
|
| #25 |
Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file?
|
100 |
175
|
|
|
|
| #26 |
What is the filename of the exploit that was run?
|
100 |
179
|
|
|
|
| #27 |
What is the first ID of the log that shows the exploit being run?
|
100 |
139
|
|
|
|
| #28 |
What parameter turned the script from testing to exploiting?
|
150 |
164
|
|
|
|
| #29 |
Using filebeat data - What IP was the shell sent to?
|
150 |
166
|
|
|
|
| #30 |
Using filebeat data - After running the exploit, they accessed the /etc/passwd file, what is the ID of the doc that shows this?
|
150 |
132
|
|
|
|
| #31 |
Using filebeat data - We think they created a new user. What was the name of that user?
|
150 |
148
|
|
|