SOC Analysts - Execution in Windows - 1.2 Guided Exercise- I need help

Hello everyone,

I’m currently stuck on the exercise Execution in Windows - 1.2 Guided Exercise.

Has anyone had issues with the last questions? After following all the steps, the values I get for Wazuh agent.ip and data.win.eventdata.processID are marked as incorrect.

The hints I’m getting don’t seem to match.

The IP address 10.111.18.158 is the one generated by the Windows server.

image1497×827 174 KB

Here was the last reply I gave you

1.) Be sure you have the correct date range:

2.) For Question 3, be sure you are looking for MSPAINT:

image928×351 39.3 KB

3.) For Question 4, be sure you select the EARLIEST event, there are only two in the date range:

image814×575 80.1 KB