I believe I have run into wrong answer on the Getting Started with Elastic Stack: Queries lab. Question 3 asks:
How many logon failures did Windows user snoopy have?
I used the below query and receive 14 but the answer is not accepted.
Summary
event.code:4625 and user.name:snoopy
Question 4: How many web (HTTP) requests were made in the time frame selected?
I use this query to get all http requests, but it is also wrong.
Summary
http.request.method : *
Are my queries wrong or is the answer in the lab wrong?
For the Snoopy login failures, we are looking for a winlog.event_data field. Your answer is not “wrong”, it’s just capturing both login failures and endpoint security events.
For the “HTTP Requests” question, you are looking at Apache web server logs:
What we are looking for are HTTP connections made from the client (think destination port). I have changed the question to help clarify this.
Got it, thanks for the pointers. So the difference between question 2 and 3 is one asking for how many events vs how many actual failures? Since in question 2 I got the answer using the query
Summary
event.code:4624
I think it would also help if the instructions explained those queries bit more. The winlog.event_data field was not covered in any of the material but rather the other query was presented as the method to use.