I successfully completed the challenge - I updated the rule ID and it fired off the correct level. I went to run the script to get the flag and it just keeps responding “I do not see the correct alert level for this event”. I followed identical instructions as the lab walk through in 1.2, achieved the expected results, but am now not able to get the flag. I’m not sure what I’m missing here.
I actually figured out the issue. The instructions said to NOT create a new local rule, but only to edit an existing rule. I started over, and edited the existing rule and it worked - I was able to obtain the flag.
2 Likes
have same problem, however i tried for many days,
Hi, I am also having this challenge. I did not create a new local rule, I edited an existing rule and successfully was able to edit the rule to trigger a level 12 alert in the SIEM, for rule ID 10002 as explained in the lab. In step 20 it reads “In the last step, you will run a scoring script that will determine if you edited the SIEM rules correctly.”
when I run sudo /lab-flag.sh it asks me for a password, but I do not see any password given and I’ve tried several different passwords. i’m not sure what i’m doing wrong or if i missed a step?
any help would be greatly appreciated!
UPDATE: I was running sudo /lab-flag.sh instead of running sudo ./lab-flag.sh 
i was able to finally figure it out and get the flag.
1 Like