| #1 |
Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents before (older) the id GDQOB3IBwJHf9VOW-r0Y?
|
50 |
112
|
|
|
|
| #2 |
Using the "View Surrounding Documents" option, find the IP of the document that is 16 documents after (newer) the id vDQOB3IBwJHf9VOW-Lyd?
|
50 |
108
|
|
|
|
| #3 |
How many requests have come from the IP address 2.49.53.218 between the 6th of May and the 13th of May? (time is in UTC)
|
50 |
130
|
|
|
|
| #4 |
What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC)
|
50 |
92
|
|
|
|
| #5 |
How many 503 errors were there on the 8th of May? (time is in UTC)
|
50 |
124
|
|
|
|
| #6 |
How many connections to the host "www.elastic.co" were made on the 12th of May? (time is in UTC)
|
50 |
115
|
|
|
|
| #7 |
What is the second most common extension of files being accessed on the 12th of May? (time is in UTC)
|
50 |
115
|
|
|
|
| #8 |
Find the first IP address to connect to the host elastic-elastic-elastic.org on the 12th of May. (time is in UTC)
|
50 |
114
|
|
|
|
| #9 |
What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC)
|
50 |
99
|
|
|
|
| #10 |
What's the host machine's hostname?
|
50 |
101
|
|
|
|
| #11 |
Using current data, what version of the stack is running?
|
50 |
106
|
|
|
|
| #12 |
Using current data in the auditbeat index, what is the name of the elasticsearch node? (one word)
|
50 |
71
|
|
|
|
| #13 |
What is the name of the beat to collect windows logs? (one word)
|
50 |
100
|
|
|
|
| #14 |
What is the name of the beat that sends network data? (one word)
|
50 |
97
|
|
|
|
| #16 |
How many fields are in the auditbeat-* index pattern?
|
50 |
85
|
|
|
|
| #17 |
On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC)
|
100 |
81
|
|
|
|
| #18 |
On the 13th and 14th of May, how many bytes were received by the source IP 159.89.203.214 (time is in UTC)
|
100 |
66
|
|
|
|
| #19 |
What username did they crack?
|
100 |
75
|
|
|
|
| #20 |
What host was attacked?
|
100 |
73
|
|
|
|
| #21 |
How many were failed attempts made on the machine?
|
100 |
65
|
|
|
|
| #22 |
What time was the last failed attempted login?
|
100 |
66
|
|
|
|
| #23 |
What time did the attacker successfully login?
|
100 |
64
|
|
|
|
| #24 |
What is the first command the attacker ran on the box?
|
100 |
68
|
|
|
|
| #25 |
What tool did the attacker use to get the exploit onto the machine?
|
100 |
72
|
|
|
|
| #26 |
Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file?
|
100 |
67
|
|
|
|
| #27 |
What is the filename of the exploit that was run?
|
100 |
69
|
|
|
|
| #28 |
What is the first ID of the log that shows the exploit being run?
|
100 |
42
|
|
|
|
| #29 |
What parameter turned the script from testing to exploiting?
|
150 |
62
|
|
|
|
| #30 |
Using filebeat data - What IP was the shell sent to?
|
150 |
60
|
|
|
|
| #31 |
Using filebeat data - After running the exploit, they accessed the /etc/passwd file, what is the ID of the doc that shows this?
|
150 |
44
|
|
|
|
| #32 |
Using filebeat data - We think they created a new user. What was the name of that user?
|
150 |
46
|
|
|