SOC Analysts I need help - Execution in Windows - 1.2 Guided Exercise

Hello everyone,

I’m currently stuck on the exercise Execution in Windows - 1.2 Guided Exercise.

Has anyone had issues with the last questions? After following all the steps, the values I get for Wazuh agent.ip and data.win.eventdata.processID are marked as incorrect.

The hints I’m getting don’t seem to match.

The IP address 10.111.18.158 is the one generated by the Windows server.

image1646×899 247 KB

I just ran through the lab and I was able to get the correct answers.

1.) Be sure you have the correct date range:

2.) For Question 3, be sure you are looking for MSPAINT:

image928×351 39.3 KB

3.) For Question 4, be sure you select the EARLIEST event, there are only two in the date range:

image814×575 80.1 KB