For anyone who have run through the recently published Incident Analysis: Collection & Exfiltration, there is a question in the challenge lab that I am stuck on and would like some assistance. That being Question 3.
The question is the following and continues from the guided lab.
This ought to be relatively easy to answer, however I am finding that the time (most recent) that I am providing for the date of 2025-04-25 xx:xx:xx is not being accepted.
Has anyone else been able to complete this lab successfully?
The syntax is relatively easy with one example being as follows with the date range being set to cover the period of April 25 as the question mentions:
(destination.ip:(162.125.0.0/16) and data_stream.dataset:pfsense.log)
Q3. What is the timestamp (as observable in Elastic) of the latest (most recent) network connection attempt on April 25th, to one of the Dropbox IP addresses that we identified in the Guided Exercise? Your answer should be in the format of YYYY-MM-DD HH:MM:SS. For example, 2025-01-01 01:02:03. You can ignore the remaining portion of the timestamp after seconds.