#defending-azure-path

🥳

🥳

let's go 🛫 🙂

Aight let's give this a whirl.

🎉

the discount code, is it only going to be active till 18th this week?

Why it's not possible to pay in USD not GBP 😦

MS Sentinel: Just Looking labs are good, was my first time testing Sentinel. thanks

Sentinel is the best siem and the easiest one to use imo, once you get into grips with it. I use it every day for work.

It's part of THM premium, right?

🥳

I thought it was but I think they made some changes

2 rooms are free rest is business

Although I am planning to use the discount to claim both the aws and azure path.

I'm getting confuse with promo 50%, which subscription or package that need to choose for that?

Ah ok

XDR: Introduction I think there are some permissions that are lacking for the labs

not sure why stuff is greyed out for me.

I am bit confused with this 50% discounted code. I can't find it. I am premium as well.

Yeah I'd love to see a link to that discount. I'm fine with paying the three month business/cloud plan if I could see what this discount entails.

review so far: Introduction to Sentinel ✅ XDR: Introduction❌

Who we can contact for that promo clarification?

Facepalm, we're all overlooking that the promo is in the images for the announcement

Can we pay now and start the lab later?

For individuals it's three months of access

Comes out to $187.50 USD with the promo for anyone curious

are the creators of these azure rooms even in discord. Its a joke that the labs are not even working and stuff is greyed out.

$62.50/month with the discount. I understand the cost is to cover Microsoft licensing and Azure storage. If I'm already paying an annual subscription for THM, wouldn't it be cheaper to buy the Microsoft licensing myself?

If I get certfication I will take job?

I agree with this take. It would be great if it can be packaged into the THM subscription.

AWS & Azure bundle. 🙂

Ah! I thought the cost was for Azure alone. Will Azure and AWS always be bundled?

Right now it is, at 50% off. 😄

I'm not clear here, if we have monthly subscription - paid,do we still need to pay for this learning path?

It mentioned in the monthly payment all learning path

Sounds like there's a separate Cloud subscription, like for the AWS content

Yes.

on XDR: Introduction task 8 , in the lab we do not have permission to create custom role, are we just suppose to follow the screenshots?

can anyone tell me where to find Workflow Id for an incident in sentinel?

One way open the Logs (Link to LA) then open any log entry, look for AdditionalDetails

What's the usual waiting period for write-ups? 😶‍🌫️

I'd say submit when you're ready, and the creators can apply any embargo/timing restrictions 🤔

Yeah this is what annoyed me

when u follow the labs u cannot click anything because its greyed out

I am a bit worried now whether the labs u pay for are like this. The annoying thing about THM is that I think they have a no -refund policy

which is a bit stupid if the labs u are paying them for are not working.

I am also want to know the level of the labs, if they just basic / easy level before making any decision to purchase, and there is no info regarding the other rooms, as you need to pay first to see them

having problem with MS Sentinel: Just Looking room. It's been almost 50 minutes and still can't get any incidents

well I am not really bothered whether its good or bad really because my work will pay for it. Planning to buy tomorrow, before discount ends. But I can understand if u are paying out of your own pocket it can be a gamble in case it turns out to be bad. If my work did not pay for it then I probably might leave it out most likely. If you want to learn about Azure security that is for free then u can get 90 day free sentinel access and the SC-200 course for free by Microsoft.

having problem with MS Sentinel: Just Looking room. It's been almost 50 minutes and still can't get any incidents

If that happen just rename the rule (just the title) and save it, it will trigger then

ok

Hey there! Sorry for the confusion here 🙏 That task wasn't meant to have a custom role created on your own. We have changed the text and follow-along portion here now!

I am referring to the note on the task 3 "Note: If the incidents haven't showed up after 3-5m, editing the alert rules and re-saving them without changing any settings will force them to trigger incidents."

So my message was in regards to the XDR: Introduction task 8 comment you had, and we updated that task. Unless I'm misunderstanding your message now? 😄

Thanks for fixing it

Gave +1 Rep to @radiant kiln (current: #5 - 1856)

in room MS Sentinel: Just Looking after ingesting log i geting permission error saying don't have permission as per subcription etc any idea why or it's just a bug

wait few minutes, then refresh, it happen to me too

ok i'll try again thanks

Gave +1 Rep to @wide dome (current: #154 - 53)

Heya, anyone got past XDR: Defense Evasion Task 5?
I'm stuck on the SHA1 hash...I have 2 different hashes in the demo environment, but none is working.
Just wanted to nake sure that I am just picking the wrong hashes and the task is working.

Forget what I've said. I am just incompetent :)

Is there a coupon available

for this

400 dollar is a bit expensive

do u get access to an entire tenant ?

NVM FOUND THE CODE BY SCROLLING UP LOL

it expires tomorrow lucky me

I feel bad for the guys who bought aws path way back for the amount they charged back then. Now they are giving both paths for just half price

nice room 🙂

Can anyone please share the recording of today's webinar about defending Azure?

What is EDR visibility limited to?

endpoints

Anyone please? I missed the session today

It's most likely been recorded

how long this path will be free?

It isn't free. only first 2 rooms are free

yeah right but not sure where they uploaded it or how can I access that

It will probably be on yt

Any nudges on where to find the Workflow Id for https://tryhackme.com/r/room/justlooking) Task 4??
🙏Only question left 😓

you can check the logs: open the Logs (Link to LA) then open any log entry, look for AdditionalDetails, you will see it

I am a beginner in the cloud. Is it worth it to buy 3 month access with a discount? I plan to write SC 900 next month.

Could anyone give advice please? 🥺

I tried the path and I can confirm that is pretty beginner friendly 🙂

am i missing something...i have ingested the logs but when i go into the log part the queries is blank?

You haven't written a query yet, are you trying to query any of the tables?

no just setting up first

Hey! I’ve been watching your TryHackMe YouTube videos super helpful stuff! I also came across your profile on LinkedIn and noticed you accepted my connection request. Just wanted to say thanks and keep up the awesome work!

Gave +1 Rep to @wide dome (current: #147 - 57)

i reloaded the room but now i have a permission restriction in logs, do i need to now subscribe?

just wait few minutes, then refresh the page

just disappeared thanks

Gave +1 Rep to @wide dome (current: #145 - 58)

In MS Sentinel: Investigate module, is anyone getting the issue where the alertRules and deploy-workspace deployments are failing? alertRules is saying "Maximum rules count per tenant exceeds the allowed limit 10000. please contact support if this an intentional action." Any advice?

i tried 5 times and the logs appeared once, im trying again today 🙌

Sounds like you are deploying the rules prior to the events and workspace finished deploying

figured out what i was doing wrong i wasnt inside the eastus-sentinel space for logs 🤦‍♂️

hang on, must one have completed the starting labs to continue the labs in the next exercise?

I thought each cloud instance is for its own lab

MS Sentinel: Ingest Data ---> I thought this was its own lab but seeing I created sentinel in the previous lab, I thought it would be there in the next cloud instance its not there. So I need to go back and create the sentinel workspace all over again to do this lab?

You don't have to, no.

thank you

Gave +1 Rep to @radiant kiln (current: #5 - 1857)

do you need to subscribe when your limit exceeds 10k?

There shouldn't be any difference if you are subscribed or not

The issue you are facing is most likely because you haven't waited for the workspace and event ingestion deployment to be finished before deploying the rules

I am not manually deploying anything. I am following what the instructions say, I am literally deploying the lab and logging in, then waiting. After about 5 minutes every deployment completes besides the “alertRules” which takes about another 15 minutes before failing

Which room are you doing by the way?

i get this error: Maximum rules count per tenant exceeds the allowed limit 10000. please contact support if this an intentional action.

(Code: BadRequest)

my deploy has the error at the top, the logs were successful all under the error notification

Can you please tell me the room?

MS Sentinel: Just Looking

Okay that was my assumption, that's why me previous message regarding making sure to have the ingest events and deploy workspace action being finalized first.
In task 2 it's descripted to press the Ingest Logs action first, and to not press the Deploy rules button yet

So having pressed only the Ingest Logs action. Go to your deployments tab and wait until the ingestEvents and deploy-workstation actions have been completed

In the image I shared above, you see that these actions are still in the deploying state

You have to wait until these have finished. Then move on to task 3 and follow along with the Ingest Logs action

i understand im trying to say the logs were successful with all green ticks. When i the deploy rules the error says iv exceeded allow limit. I cant screenshot or i'd show you what i mean

If you verify your account in here, you can send screenshots

Okay I see now what you mean. Let me try myself real quick

Okay something is wrong here. I need to forward this to get looked into. Thx for bringing it up @quiet niche 👍

Gave +1 Rep to @quiet niche (current: #1847 - 2)

no problem i thought it was a subscription error, thanks

Gave +1 Rep to @radiant kiln (current: #5 - 1858)

MS sentinel: investigating

You get that same issue there too? Let me check

Yeah but let me do it one more time and make sure it’s not me doing something wrong

Yeah still getting that error

In the "MS Sentinel: Just Looking", Azure is not deploying the rules due to maximum rules count per tenant reached. "Maximum rules count per tenant exceeds the allowed limit 10000"

can someone help

plz

Still getting the error, is there a fix yet?

Hey there! Yes we are aware of that issue regarding the Analytics rules. Please bear with us while we are trying to fix it 🙏

I'm getting the same error, can someone help with this please!!!

I am also seeing an error after ~20 mins in room Sentinel: Investigating. Same screenshot as @quiet niche from yesterday. I tried with about 4 different lab joins and got the same error each time about maximum rules count per tenant over 10k.

I will move on and come back to this one, thanks Fontaene

Gave +1 Rep to @radiant kiln (current: #5 - 1860)

KQL advanced queries (task 3). The cloud instance reads like the logs are dynamic, but the query required to answer the question expects specific results. The cloud details pop out doesn't have any associated actions/deployments. When checking the resource groups I'm welcomed with a permissions error.

KQL advanced queries task 8 has the same issue. There is no deploy lab option, even though task 7 states there will be.

Hey 👋

Yes, we are aware of that issue and have added a note about that in Task 8.
I hope this will be fixed soon!

You need to first press Join Lab. After that the Actions tab will appear

Tried using this workaround but couldn't figure it out: https://www.reddit.com/r/tryhackme/comments/1k2wntw/please_fix_this_error_sentinel_looking_challenge/?rdt=62868

looks like I am going to have to switch to the aws learning path now for the time being till the issue is fixed

when can we expect a fix? days? weeks?

I am getting same issues with intro to kql as well

I thought maybe the KQL labs might be doable at least while the other issues persist but looks like its not

I think we all deserve an extension of the 3 months for issues with any labs, based on how long it takes to fix it.

That room doesn't have a Deploy Lab actions tab

sorry just realized now its the demon analytics we use. I thought we use the cloud details green button then launch open lab and then navigate to the workspace there.

Not a problem 👍 We are also looking to have these demo logs replaced with something more reliable eventually

Hi team, is it possible to get a 50% discount voucher in the next 24 hours? I would get it for myself, I am already an annual subscriber. I thought the discount was valid until the end of the month, but now I see the official promo ended on Friday 😣

Yeah unfortunately its gone now.

also it does not really mean anything if u are an annual subscriber, I doubt THM would give u any special treatment considering some of us in here have only got 3 months of this content and stuff is not working already and they are not giving us any compensation such as extra days. If their environments die tomorrow we wont get a refund at all. So I would not be too worried on missing out.

May I ask where you get this information from? I would hate to see that your statements are always based off assumptions? 😄

any refunds for people who have purchased monthly or annual subscription?

Monthly Membership Subscriptions: Monthly subscriptions to TryHackMe are billed in advance and are non-refundable for the subscription period they are purchased for. The subscription renews automatically at the end of the term if not cancelled before the renewal. When you purchase a subscription, you agree to a renewal charge for the service, whether it is monthly or annually. This is explained on the Why Subscribe page where you select your plan. If you choose to cancel your subscription, you will still have access to the service for the remainder of your billing cycle, but you will not receive a refund.

Annual Membership Subscriptions: Annual subscriptions have a 7-day cooling-off period, during which you may request a full refund, provided you have not accessed or downloaded any course materials. To be eligible for a refund, the request must be made no later than 7 days after the purchase date. After this period, or if course materials have been accessed or downloaded within the initial 7 days, refunds will not be granted.

here u go https://help.tryhackme.com/en/articles/8282427-refund-policy

"Cloud license is non-refundable"

These 2 policies seem to apply to the regular subscriptions, not to like the cloud packages. But either way. Stating "stuff is not working already and they are not giving us any compensation such as extra days. If their environments die tomorrow we wont get a refund at all." indicating THM would not care and thus neither would compensate or extent the packages is just outright an assumption of you.

So what have I misread in that article?

If stuff is not working for all users are we entitled to a refund or extra days or is my assumption wrong?

You might want to inquire via support@tryhackme.com first before making such statements to other users that sound like facts and give the impression of "If the environment won't work anymore, THM wouldn't care". Does that make sense?

You can be assured we are trying our best to keep everything working and are trying to solve issues as fast as possible.

Thanks @subtle pecan and @radiant kiln for the follow up 😣🤞🏻

Gave +1 Rep to @subtle pecan (current: #695 - 8)

ok so you are not sure either then? I would expect THM to give some form of compensation if "All users" are affected? I can drop them an email like u stated to find more info but its not handy if that info is not in the article and we have to email to find out. I would rather THM be transparent and include all the details in the article.

If the info is not in the article my assumption is its not the case, that is where I am coming from.

Yes, please reach out to support then. Just to note, it's just 3 rooms out of these 15 that have an issue for the last 3 days. That package also includes the AWS path, so I'm a bit unsure what kind of compensation you think would be appropriate. But yes, talking with support first is the better way for sure 👍

ok thanks

Gave +1 Rep to @radiant kiln (current: #5 - 1861)

You can analyse raw logs. Link to the ps1 script You can find inside Azure lab, don't know if it's alowed to post it here. Inside this ps1 script there link to raw logs, lor example disable_accounts.csv. Inside it You can find answers for Q2, Q4 and Q5. Unfortunatelly Q3 "Check out this IP's geolocation. What is the city?" doesn't match with the answer, but this is the only left unaswered for me atm. Hope it helps.

And clearly this question is messed-up. EDIT: It's all ok now 🙂

Question 2 is working correctly.

Could you DM me a screenshot of what you found as the answer from the raw logs?

Hello everyone, the following three rooms have been made private for maintenance:

MS Sentinel: Just Looking
MS Sentinel: Investigate
MS Sentinel: Detect

We'll post an update once they become available again. 🙏

KQL Basic Queries lab, I am trying to do Task 9, It does not tell me which custom date to use to query the logs... Like Task 3 did, I tried to use the dates shown in the little animated images but had no luck with those times... Help?

go back few years like 2021 and it should be fine.

and one more thing - you should launch new lab. go back to Task 3, close the lab and go to Task 9 and launch a new one. It's not the same.

ok, if there is no logs event when you ask for SecurityEvent_CL then choose the table manually from the left menu, heres how:

Just click on "Run" button besides SecurityEvents_CL and You should see the logs.

Did that.

I tend to run in to this a lot too, I have been running the lab for about 10 minutes so far and the logs have all been ingested/deployed based on the deployment screen in the resource group...

Still nothing, tried 2021, 2022, 2024... nothing

Now it's showing up... No clue, this stuff is buggy from what I can see, and having to pay for it...

You can also check here, as mentioned in the Task 9: Lab deployment may take about 4 minutes. You can check the deployment status via Resource groups -> Select the available resource group -> Settings -> Deployments.

sometimes indeeed You hace to wait more time, but it's a place where You can check if everything is up and ready

Actually, KQL (Kusto): Basic Queries is free... but, yes, it should be more stable:

That's moot, I am doing all the rooms and they all have the same issues, and they're not all free.

few of them are free, few of them are paid 🙂

Again, moot.

What's the issue exactly? That permissions error you got?

And if so, you said it happens in all rooms, by that you mean all KQL rooms, or also like all Sentinel rooms?

My main issue was no matter what custom date I set it to it was saying there were no logs, I refreshed several times and after about 20 minutes of messing around the logs finally showed up.

As for the permissions errors those happen as well… It’s happened to me in the Sentinel room, KQL room and the first Challenge. I even went to check and make sure my permissions were showing in Azure.

So for the logs issue, it should take around 4 minutes to have the logs ingested after you pressed Deploy Lab on the actions tab. I think another user also pointed out you can check the deployments status.

Yes, I waited for that, took about 5 minutes.

But it was about 15 minutes after that.

They all showed the green "deployed" icon in the Deployment Tab

But if the logs have finalized deploying, you should be able to see them. Not sure what might have happened then 🧐

Yeah no clue, I tried the lab twice, the second time I was messing with it the way the other user suggested, but clicking on the SecurityEvents_CL and clicking "run"

For the other issue regarding the permissions error. Did you make sure to log out of the previous lab account first?

But I messed with the custom date a bunch and no dice, then suddenly it showed up in the "3 days" time set up.

Ye maybe if you can try again, and let me know in case it still happens, that might be easier to troubleshoot

Yeah, it happened both after I logged out of the task3 lab, I logged into the task 9 after, and the permissions were wonky, then I tried again after an hour (and that other user suggested a workaround) and both labs had been exited for quite a while.

I was able to finish the lab the second go around, just took a bit.

like I said eventually (like 20 minutes later) it populated some logs.

Okay. Ye I wonder why that might be if the logs finished deploying. But there might be also a chance something was buggy on the Microsoft side. 😄 But let me know in case you encounter anything similar again so we can potentially troubleshoot while the issue is happening

Alright, appreciate it.

Thanks for raising this, I am having similar problems. But I guess I will wait for 20min

Gave +1 Rep to @viscid sparrow (current: #1848 - 2)

thank you

Gave +1 Rep to @shrewd dagger (current: #17 - 541)

cant wait to finish the Sentinel room, first insight to this SIEM

KQL (Kusto): Advanced Queries - Excellent room, as a person who uses Sentinel every day, a lot of the stuff is already familiar to me, However I found functions very interesting.

Lab was very good as well

XDR: Prevent, Detect, and Mitigate Defense Evasion Attacks- I am unable to follow along with task 6 lab due to insufficient permissions

It's been extremely buggy. The path is solid in terms of learning content. But the bugs have been extraordinarily frustrating to say the least. Hopefully it gets optimized in the next couple of weeks. Azure bootcamp is tomorrow, I shelled out for the add-on and took time off work to attend that so praying to the lab gods for stability.

Epilogue of reaching out to support: I was denied for this discount. Better luck next time.

What is the "Request tenant environment" button at the top of some of the rooms (like XDR: Defense Evasion) supposed to do? Nothing seems to happen if I click it.

Agreed.

@radiant kiln This is the Advanced KQL lab. As you can see I am getting no results, I even went as far back as June 2024 (the images show July 2024) and still getting no events.

Working now... but I had to wait well after the logs finished deploying.

Unfortunately the AWS path is the same too. Literallyroom breaking bugs. Support is non-exisitant too

Okay I just tried this now and it indeed seems to take longer for some reason. Not sure why that happens now. I'll forward it to have it get looked into!

I am gutted that the challenge room is privated as its something I wanted to do, hoping it gets fixed soon and put back

I was disappointed that you can just click Complete in the final room instead of having to prove any type of skill

Half the questions in the "labs" were ridiculously easy yay or nea questions, cmon guys.

Hi, I am trying to finish the Defending Azure learning path, but I am constantly getting zero logs to review -- even when I adjust the time frame.

Can anyone assist me?

I verified four times that I used the provided credentials.

Which room and task you are trying to solve?

Azure: Can you GA

I have completed all of the challenges

But your previous image looked like one of the KQL rooms?

Maybe I uploaded the wrong screenshot

Gimme a sec

There isn't an active log analytics workspace

Yes that's not the challenge. You supposed to "take over" the tenant by becoming Global Admin (GA)

I see, thanks

I will try tomorrow

If the challenge is to take over Azure to become the Global Admin, why is the learning path called Defending Azure?

They added the Can you GA after they made the whole module so at first it was all defense, now there is a single attack based challenge, but overall the whole module talks about defending.

Haha this one made me laugh irl 🤣

and I am curious to see THM response to that

Hi there, did anyone attend the bootcamp yesterday? Do they post the recording of the session anywhere? Unfortunately I thought it was today at 4pm so I missed it entirely.

Do we know how long it will take? weeks? months? ideally hoping I will be able to have a go at it before my 3 months expire

Hopefully by early next week. If you sent in a ticket to support we can extend the access

Thank you

Gave +1 Rep to @neat fox (current: #55 - 168)

Will this path help prepare you for the SC-200 since that focusses heavily on sentinel etc

Yes sort of.

the SC-200 exam is more of a where is this in Sentinel where is that in defender

rather than scenario sort of based questions of incidents.

@neat fox the sentinel challenge room is now public and the other 2 rooms are still privated. But it still has" We are currently investigating an issue with the Analytics rules and therefore the room will not work as expected" banner on the room. Is it fixed now or still getting fixed?

Not too sure about this. @shrewd dagger Do you know?

Thanks!

Gave +1 Rep to @subtle pecan (current: #597 - 10)

I think it will at least create the base

It's fixed and the note got removed too now ✌️

cc @neat fox

cool hoping the other 2 privated sentinel walkthrough rooms get sorted this week as well.

it says failed to load.

MS Sentinel: Just Looking - Completed. Relatively easy, I would like to see a harder challenge with a full blown investgation that requires us to use kql queries to investigate and not just rely on analytic rules

Is there any kind of a video tutorial for setting up in the defending azure labs? I was finally able to launch the labs properly for Defending Azure, but now moving into KQL I'm at a standstill. I try selecting "Microsoft Sentinel" but it keeps rolling back to "Welcome to Azure!". I've closed and signed out of the labs and relaunched several times but since there are no tutorials covering the initial steps I can't tell if I'm just missing something

same bro

Yes, you are not supposed to connect that data connector (the Entra ID one), it's just to walk you through. In task 7 you'll be asked to connect a data connector on your own, which will have all prerequisites satisfied 🙌

Which KQL room are you doing?

"can you GA" I have found the user flag, why is it not working!!

@neat fox

take THM users money and break the rooms thanks

@inland parcel can I dm you the user flag cause I think u have completed the room looking at the scoreboard, so you can check whether the user flag I have is the correct one

Yeah feel free

Thank you very much. We need more mods like KGB.

Gave +1 Rep to @inland parcel (current: #1 - 4772)

I don't believe that room has been touched, Do you know?

@shrewd dagger @radiant kiln

No issues there. Flag seems to be still correct

It seems there is another flag that was placed in that room, please can we stop adding unnecessary rabbit holes.

Where do you see an extra flag?

can dm u

Yes go ahead 👍

Blackout emailed me back about my ticket so I sent them screenshots. It's the KQL (Kusto): Introduction room

Can you provide me with those screenshots too? I may be able to give you an answer to your problem right away then 🙂

can you GA, would be useful to have commands provided with task 6 -9. Asking users to do it themselves when the path is about defending is not good

Hey there! Sorry for the delay. Is this the Demo Log Analytics URL you try to open where you get that error?

https://portal.azure.com/#view/Microsoft_OperationsManagementSuite_Workspace/LogsDemo.ReactView

If so, it opens just fine for me.
If you tried to open some other page like Sentinel, that's not where you supposed to go to. But instead just navigate to the provided URL

I'm launching the lab from the link within the module

And Then the lab takes me here:

So im unclear on where I should be finding the logs shown in the screenshots in the instructions if I'm not supposed to go into sentinel

missing_space

That's the info as of this evening, although it was a diff lab ID yesterday

This was it last night

Just to let u guys know its better to use cloud shell or your own VM for the tasks, the attackbox discconects mid-way for no apparent reason and then u have to start all over

Hi all,
any hints for this challenge in room Azure: Can you GA?
What is the user flag?

Try to inspect suspicious user properties 🙂

Thanks

Gave +1 Rep to @inland parcel (current: #1 - 4790)

You probably already solved it, but if you are familiar with azure, a quick command to list all users in your terminal gives a lot of juicy details 🙂

I'm getting this error, but in the KQL (Kusto): Advanced Queries room, I can't finish task 3. The query that I need uses tables VMComputer and ProtectionStatus and appears to be empty. Already change the time range and still show no info and I use this link to: https://portal.azure.com/#view/Microsoft_OperationsManagementSuite_Workspace/LogsDemo.ReactView same results.

I am experiencing the same issue. The Cloud Details button>Join Lab launches " KQL (Kusto): Introduction" I this might be the issue

It's explained here with a link to the demo logs

Tbh I think the order of the instructions is what has gotten me so tripped up on this

bruh icant acces the cloud

like dude what is this

same issue here bodi

been like that for about a week or so

when is it going to be fixed

wish i could tell u, send an email to their support email maybe the more ppl that do that the faster they will fix it

i dont get it

why are there no resuslts found

Sure will try it as well and Thanks !!!

Gave +1 Rep to @willow epoch (current: #2857 - 1)

Np, let me know if you need any more help with it

a lot of the tables are empty so you cant get any results, which is making the practical aspects pointless as you cant experiment the KQL. Up until now I've been able to guess the answers either through looking at the screenshots or google but my current question needs the ProtectionStatus table which is empty as google and chatgpt have nothing. So i cant go any further. I also can no longer access AWS after less than a week of my 3 month subscription. So I dont get it either

any update on the other 2 private rooms? when can we expect a fix?

Which room and task are you doing?

cc @stray mulch

We are in contact with Microsoft for a solution, but we are relying on their responses/support, which are not the fastest it seems. So can't give you a good estimate right now unfortunately, but shouldn't be too long hopefully.

hey, any update on that?

Having a lot of issues with the Defending Azure path. I am never able to return to my original subscription:

This is of course a blocker and has been

How is this supposed to work? If I completed the Sentinel room days ago shouldn't the lab open up my pre-existing instance and not a brand new one?

same gang

Each time you start a lab, a new individual account gets created for you, while the old account is no longer working after the timer runs out.

Hello, I have an Azure penetration test scheduled for next month.
I wanted to ask if the Azure learning path on TryHackMe is considered effective preparation for real-world Azure pentesting, or should I complement it with other resources?

I always prefer to combine multiple resources , THM's Azure path is really good 🙂

I'm preparing for an Azure penetration test, and I noticed that the TryHackMe Azure path seems to be more blue-team focused.
I’ve completed PWN labs and other CTF-style content, but I’m looking for stronger, hands-on resources tailored specifically for Azure offensive security.
Do you have any recommendations similar to THM but more focused on red teaming or real-world Azure attack scenarios?

Yeah it is more blue team focused 🙂 . I am not sure about additional resources , you may try to ask in #cyber-and-careers channel .

Thanks bro ❤️

Gave +1 Rep to @inland parcel (current: #1 - 4841)

Nah THM Azure path aint going to help with that. Its defensive not offensive

try pwnedlabs they have good stuff from what I have been hearing.

ik, in GCP, Azure, and AWS, but I need more resources. I’ll start searching for new ones 🙂
btw, is the AWS Attack & Defense path in THM good for pentesting?

I would say its meh, but the machines are always having issues. So I would not invest into it.

if u read #attacking-defending-aws u can see what people think of the path

Thanks bro ❤️

So just to confirm, in order to avoid re-doing tasks (re-deploying Sentinel) you should plan to complete one or more rooms in single sitting?

No you don't have to complete one or more rooms in a single session. All you pretty much have to do is log in with a new account each time you are asked to deploy a new lab. E.g. one room/lab might has no workspace whatsoever because you are supposed to create it on your own, while the next room/lab/task might already has the workspace created and ingests logs that you need. That's why you need different accounts because of different environments/permission that are needed throughout the different labs

Hi, could you solve this? I'm having the same issue

Seconding this, in the same situation where no data populates on the VMComputer table. Can change the date back years and nothing populates. All the other questions have either a screenshot for the demo Microsoft table just incase something goes wrong. Not sure why they didn't set up their own data to use for these examples, the rest of the room has them.
This question actually needs the data populate it seems, so I'm waiting for a resolution on this as well. Specifically, Task 3 of KQL: Advanced Queries room.

Which room and task are you working on?

cc @exotic finch

In the kql advanced queries, specifically, for the question 2 in the task 3. No results in the table protectionstatus and vmcomputer

Same as Unf0rg1v3n, Task 3, Question 2, “Run the “Combining Multiple Columns From Different Tables” query and modify the time range. What is the threat status detail?”

Same here

Hey there 👋

It seems to have indeed an issue now with those demo logs, but we already working on a long term solution for this.
For the time being we have changed the question so it's no longer a blocker. Sorry for the issue here!

cc @proud olive @indigo arch

Thanks for the update and resolution Fontaene.

thank you

Gave +1 Rep to @radiant kiln (current: #5 - 1863)

Are these 3 modules gone or will be back?

Which modules you mean?

MS Sentinel: Just Looking
MS Sentinel: Investigate
MS Sentinel: Detect

Unfortunately I have no ETA for the Investigate and Detect rooms. But the Just Looking challenge is already back live 🙌

2 KQL rooms I completed 100% show 85%. I reset both, did it all over again and it still generate the completion screen, the header shows 100%, but when exiting keep 85%.

I wish I hadn’t invested in this learning path. Do not recommend.

There is also the issue related to 2 MS Sentinel rooms that simply disappeared.

I have the same issue with the KQL intro and KQL Basic rooms. Says 87% and 85% completed, but all tasks are done in both rooms.

@kind dew @fossil mortar I've forwarded mesaage to staff , they will reach out to you asap 🙂

This might happened due to some recent questions/answers updates. I'll forward that to get fixed.
You mean the sentinel Investigate and Detect rooms that disappeared?

@inland parcel , thank you very much!

Gave +1 Rep to @inland parcel (current: #1 - 4899)

Fontaeme, thank you very much!

✌️

how am i supposed to complete kql advanced room when the database is messed up

Could you elaborate more specific what you mean?

On the "Combining Multiple Columns From Different Tables" query, what row is excluded from the ProtectionStatus table?

i tried everything cant find the answer

oh and what is this

when i clikc on logs this pops up

That answer can be found in the query itself, not via the logs. Since the query excludes it, you are not able to get your answer from the logs 🙂

yeah i realized xd

Which task is this for?

Lab-02: Discover

Thank you, people are beginning to see the light 💪

Gave +1 Rep to @kind dew (current: #2875 - 1)

I am getting my license expensed back from work at least this month. Feel sorry for the people who paid out of pocket and did not get what they expected.

Did you terminate the lab from task 2 and started the new one in task 8 where you also pressed Deploy Lab in the Actions tab?

And then also logged in with the new creds from task 8?

Hey there! These 2 rooms should now show correctly on the path. Sorry for the inconvenience 🙏

yo anyone here done the azure ga romm?

on the ms sentinel just looking room. the incidents are not loading and they are not here

is it common

Hello, are you referring to the rooms Sentinel: Detect and Sentinel: Investigate ? They still do not show in the path page. Also I've bookmarked them previously when I purchased the cloud combo, and when I try to access them directly they show as "This room is private".

Hey there! No this was in regards to the KQL rooms that showed the room progress incorrectly on the path page. Unfortunately we are still waiting on Microsoft to help us fix the issues we are facing with those 2 Sentinel rooms

I'm confused about the "Defending Azure" learning path. All of the rooms I've completed are "Free". What exactly did I pay for?

They're just marked as "free" because they don't require premium subscription but you still need to pay for an Azure ad-on

Thanks for the clarification

Gave +1 Rep to @inland parcel (current: #1 - 4952)

Hey guys can someone give me a hint how to connect as the target app to the azure tenant in the room "can you ga?" on defending azure?

Hi guys, just trying to log into the Lab of „Azure: Can you GA?“ but always get the error „user might not have enough permission“
Is there anything I can do or try?

Hi Everyone, I am stuck at XDR: Defense Evasion task 5 where it refers to incident: Attempt to turn off microsoft defender Antivirus protection but when I login with the provided credentials there is no incident like that. Is it a known bug?

I am in the exact same situation and am unable to complete the room.

The screenshots show the incident occurred on the 21/11/24 unfortunately the Time Range on the incidents page on Defender can only go back as far as 24/11/24 as of today, I was doing the lab yesterday and I could go to the 23/11/24. It looks like we got the the lab a few days to late to see that incident. Hopefully an update will come

I solved it yesterday finally but with an alert different from what is mentioned in task.. There is a malware alert which can help for this question. Give it a try. 🙂

I'm unsure what you exactly are doing. But this is not a log analysis challenge if you try to like access sentinel

Let me check

Okay it looks like 2 days ago the 21/11/24 date is now outside of the 6 month time range. I have forwarded it to get checked out!

Hey everyone, is it just me or are there no logs showing up when I connect to the environment in KQL (Kusto): Basic Queries or KQL (Kusto): Introduction? Just want to make sure I'm not missing anything.

In "Can you GA?", if Azurehound is needed/recommended, would it make sense to include it into the AttackBox tools?

They have updated one of the questions in the XDR: Defense Evasion Lab. the new question is "What is the value for Malware detected?", the answer is 4 characters long. I have no idea what value it is looking for, initially I thought it was the risk level which is High but that is not correct, than I thought it might be a processID but none of the ones I have tried have worked. The only mention of value on the whole page is in reference to registry values, which doesn't match 4 character limit. Any ideas as to what value I am looking for?

The MS Sentinel: Investigate and MS Sentinel: Detect rooms are now back live again! 🙌
Sorry for an inconvenience cause by that.

XDR: Defense Evasion
Room 5
Question
What is the value for Malware detected?

Anybody know how to find this answer? been stuck for a good 20 minutes

This question makes zero sense for me ... @radiant kiln

did you figure it out?

I updated the questions slightly, maybe it's more clear now

thank you, passed the answer you changed 🙂

Is deploy rules bug fixed for MS Sentinel: Just looking room? I am still facing the error after deploying rules in that room

Resolved- I had to leave lab. Ingest logs and wait to deploy rules.

Could you please provide a hint with "What is the value in the Malware detected field?"

It's probably the first time I've truly gotten stuck...

Have you figured out how to solve it?

Are you using the Alert timeline to answer the questions? If so, you just have to look closely, the info is there

Hi, anyone in Azure Challenge (Can you GA?)? I´m getting an error when I try to log in with the user

I'm getting the same error in the challenge after, MS sentinel: Just Looking. Cant get it. Tried in incognito mode as well

Guess my issues are related to this. Trying to progress in "MS Sentinel: Investigate" but user credentials isn't working and I get redirected to a 500 page on THM every time I try to deploy the lab. Might be a bigger issue...

I do get same error as you are describing when trying to log in with cloud credentials in "Azure: Can you GA?"

@radiant kiln What's up

I will forward it to have checked out as I'm not sure what causes this right now 🙏

cc @charred laurel

I am facing the same issue with Can you GA room. I was able to login last night but it is not working now.

Works🙂

is defending azure paid even if we have premium? Same for the AWS one?

Yes it is

Gotcha!

Hello, how do I get telemetry into the tenant in the "KQL (Kusto): Advanced Queries" in "Defending Azure/KQL lab? I went to "Demo Log Analytics," but I'm not getting any data in the query. I couldn't find a "Start" button like in previous labs.

Hi, any hint for the task 7 to generate a new client secret in the room: Azure: Can you GA?

Hey folks! I've completed 4 sections of the course and received a certificate stating that I've completed 5 (!) sections, including Microsoft Entra ID, which is not available for me.

Do others experience the same issue with Section 5, or is it working fine for everyone?

I submitted a ticket to the support 2 days ago, but haven't heard back yet.

Hello I am at the Azure XDR Evasion Room and Stuck on Task 5: What is the value in the Malware detected field? --> I tried all 4 log numbers out or do I missunderstood something?

I did and solved it

Hello, how do I get telemetry into the tenant in the "KQL (Kusto): Advanced Queries" in "Defending Azure/KQL lab? I went to "Demo Log Analytics," but I'm not getting any data in the query. I couldn't find a "Start" button like in previous labs.

Hi, I saw there were few modules which were added related to Entra in Defending Azure path but it is not visible anymore. Is it temporarily hidden?

guys what happened to the entra id module

why did it disappear

?

this is what i see

@daring sinew

they have disappeared for me too.
when the rooms were up, they were just blank templates with an inactive Join button
maybe they will return with content but I didn't need to do them to get the certificate when they were there

@hasty locust @radiant basin I think they're only available for business users now

hi guys im new here i need hackers and spammer friends

Hi, any hint for the task 7 to generate a new client secret in the room: Azure: Can you GA? I run the commands but I don't have the privileges to do it

Hey all, can I please get a nudge regarding Task 5 of XDR: Defense Evasion as I am stuck on the third question, it's not clear what they're asking.

wdym ?

What I mean is that I am kid of tearing my hair out regarding what we're meant to be looking for here. I have been looking through the logs in the Security portal and nothing sticks out to me here.

Can you provide some shots of where you're looking at ?

Sure give me a moment please.

It's just this question. I seem to find a response that meets that style

I have been following the steps to this: Attempt to turn off Microsoft Defender Antivirus protection but it doesn't seem to stick out to me

When I am going through the incident reports

It's probably just staring me in the face and I am just not seeing it to be completely honest.

Can you provide a shot ?

This is the closest I have been all day, not sure if I am missing it completely or if it's just a honeypot (?)

expand pe metadata

Can you go to process tree for a more detailed view ?

How do you mean?

Instead of alert time line go to process tree tab

Oh right, gimme a sec

This is where I get a bit overwhelmed to be honest, there are multiple instances.

everything started with the execution of that cmd.exe at the top expand that to see more details

Ok I am in there now

I can see the Command line values and everything else

Screenshot would be better 🙂

Naturally, here it is

Ok we're now interested in Attempt to turn off Defender AV protection event go to reg.exe field associated with it and expand it

Ok, but the thing is here is that, there are multiple Attempt[s] to turn off Defender AV protection, I do apologise if I sound dumb here, but should I start from the top and work down? I have attached a screenshot of what I mean

yeah

Right then

I have been going through this with a fine tooth comb, not seeing it, sorry.

I have been going through each event but I am just not seeing it

God, I am blind lmao

Hi @untold socket , I'm stuck on the same question as you, can you help me please ?

i dont understand, what is the value "malware detected" 🫠

Did you get it ?

Yeah, it was hidden in plain sight and as usual I was overthinking it

Does anyone experience error while installing content hub solution? how do you solve it?

Is there any support here?

Can you provide some shots of your issue ?

Hello all, can anyone help me please ?

I'm stuck on this same question and cannot for the life of me figure out what all this is supposed to lead me to

Oh for the love of Pete I just figured it out. Tbh I think this question could use some rewording because if someone doesn't have English as a first language (and even those of us who do) I don't think it's obvious enough to reliably lead users to the answer

Looking for an assist on Task 6 of "Can you GA?"

And or Task 7 I can't figure out how I am able to get the permissions to provide a new client secret

Overall pretty confused by this room as I'm not sure how I'm supposed to escalate from my current user as the THM provided credentials to either Kenneth's account or to the IT Ops app

From a long time THM user this room is pretty poor, especially when its a red teaming room dropped in the middle of a blue team paid course.

@inland parcel any chance you could assist me here? I saw you are Rank 5 for completion of this room. Would really appreciate it

Try to use AzureHound , you should be able to download list of users af far as i can remember

Yes, I've done that. I'm now unsure of how I go about elevating my privileges from the user account provided in the room to the privileges of the itops app

I figure I need to create a new client secret for the itops app but I can't see how I have the permissions to influence a secret for the app

Try to inspect properties of each user

?

I found what you're referring too

Thanks for the tip

Just please keep the wording appropriate , we're not alone in this channel 🙂

Right, sorry.

Can you please verify and provide a shot of what you're trying to do ?

Enumerate properties of all users , AzureHound may help

You shouldn't look for log numbers

Needing a push in the right direction here. In the XDR:Lateral Movement walkthrough I am stuck on Task 5 - Question 2

What is the investigation status for the alert: 'Winlnk' malware was detected? It appears empty to me

Figured it out, looking in wrong spot 🙂

Hey, can I get a hint on the way to generate a new client secret -> Azure: Can you GA?

Try to enumerate all existing user properties

Its good sorry, i m block on Azure XDR Evasion Room and Stuck on Task 5: What is the value in the Malware detected field? --> I tried all 4 log numbers out or do I missunderstood something?

Log numbers ?

processid

You shouldn't look for pid , question tells you too look for Malware Detected field

i dont understand, what is the value "malware detected"

That's the name of the field , look for it

I work on the MD platform every day, I've never seen it wtf...

Inspect the incident's timeline

ctrl f , i dont find the value, we dont have a hint?

We talked about it here check it out
#defending-azure-path message

ok thanks its on reg.exe

Gave +1 Rep to @inland parcel (current: #1 - 5492)

I need help with room XDR: Lateral Movement in TASK5. I did everything according to the lab scenario choose "Last 6 months" and " Find and click "Multi-stage incident involving Execution & Lateral movement on one endpoint" (Incident Id: 42)" but there is no Incident id:42 in my lab !!

How am I supposed to finish the paid content on time without it showing up in the lab environment correctly? Because if it does not show up, I can’t answer the questions asked.

Same thing here

The best way to deal with broken rooms of THM is to pay for them without actually doing them: https://medium.com/@bhuvanirangesh1995/tryhackme-xdr-lateral-movement-987b87a8eef1

Would people recommend this lab rather than setting up my own environment and paying for it? I’m thinking about setting up my own resources but wondering if this is better. Obviously cost would be lower for my own

Does this path have full simulations and log data to look through?

Are there entire attack paths to see in sentinel?

I'm running into issues getting the logs to ingest when I launch the lab for "MS Sentinel: Just Looking" .

I go through the steps of select "Cloud Details" > Join Lab... wait 5 min... > "Actions > Injest Logs"... but then I give it time to finish and see from "Deployments" that it's succeeeded, but then when I go to "Logs" there's nothing there. Is there an obvious step I'm missing?

Just to clarify, I've closed and relaunched this lab multiple times to the same result. That's when I don't get other random errors that cause me to logout, leave the lab, and then launch again to retry

@inland parcel
It’s not possible to complete XDR: Lateral Movement

I tried to reset the whole room, but still no luck

It is but the one question was probably removed in the mean time , that's why it shows 92% , it shows the same on my side

Should I add a bug report, or how can I get this completed

You can report it in #1333993673381253162

but it is already counter as completed

Hi,

I'm looking at going for the SC200 cert and noticed the Defending Azure add on subscription. Would this be enough to achieve the sc200?

Probably not this is only defense oriented , sc200 is broader than this path 🙂

hey ! Just wanted to inform you that the lab account provided in "XDR intro" room isn't working anymore . It shows that it is locked

Hi, I did not realize that this training was not included in the monthly fee. Just wanted to remind/inform who has access to an azure subscription that there is a nice Microsoft Sentinel Training Lab at https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Training/Azure-Sentinel-Training-Lab and is almost free. Maybe Tryhackme may think to set up a training that make use of that resource?

Hey all, I keep getting 'This page was moved to Defender portal, please connect your workspace to the Defender portal" errors on several of the Microsoft Sentinel rooms. Specifically on the Configuration > Analytics page, I can't create a rule and can't figure out how to view that in Defender?

Hey all, I've come from finishing the AWS path but cannot seem to start the Azure Environment. Going to Cloud Details still has all of the AWS stuff in it, Generating throws an error Room is not cloud room or is missing OU, Resetting environment just takes it back to the previous AWS state.
Did anyone have this issue?

Yeah the way you create environments is different

Its a per-room spin up type thing like there's a button that says "Create Environment" or something like that and it's in that particular module and there's always a module with instructions before

Oh right, I see now

Thanks for that

Bumping my earlier message, in case anyone has a solution -

Hey all, I keep getting 'This page was moved to Defender portal, please connect your workspace to the Defender portal" errors on several of the Microsoft Sentinel rooms. Specifically on the Configuration > Analytics page, I can't create a rule and can't figure out how to view that in Defender?

I am also running into this same issue. The Defender Portal, as configured in the lab, does not seem to have the ability to create/modify Analytic Rules (unless I'm completely missing something?)

Same Issue 2 weeks on without acknowledgement, disapointing considering we're paying top $ for this content

Which issue do you encounter ?

i get this when clicking on section 5 entra ID, and for my colleague section 5 does not exist

we bought the cloud licenses today

I think that entra is available only to business users but I am not 100% sure

Thank you kgb, might be bugged for me then

I am also having this same issue. The Defender Portal, as configured in the lab, does not seem to have the ability to create Rules

Try to reset env

Hey all, I cannot seem to get ANY data in any of the KQL Rooms, I start and deploy the lab per the instructions, I also increase the time filter to date back to January and wait 20+ minutes for everything to get deployed.
In all rooms / labs, I do not get a single result.
Has anyone else experienced this?

Functionality has moved to Defender Portal, and we dont have access to Defender Portal

Yep, been having the same problem

Hello. I am stuck on Task 7 in "Azure: Can you GA" room in this path. I'm not sure what object it is looking for in a powershell script. The "Echo AI" hint hasn't pointed in me in the right direction yet. Any guidance would be greatly appreciated. Thanks.

is there anywhere i can see until when i have access

I haven't found a way to see that in the THM site. I've just used my date of purchase to figure out when my access would expire

I am unfortunately still at a loss on this Task. Any guidance would be GREATLY appreciated. Thank you!

Has anyone had this issue with XDR: Lateral Movement not showing up as complete on your learning path, despite the room being complete? I reset the room and resubmitted all the Q's again, same issue.

Yeah that often happens when question is removed from the room after it was created , I'll forward it to staff

Thanks !
It's annoying my completionist mentality

do you perhaps know here i can find "Which administrator role assignment of the target app can be abused for privilege escalation?" from task 4? in that room

157 day streak is crazy

i don't remember where i found that answer, sorry. worst case - i suppose you could refer to the Microsoft documentation for Azure roles to see which role may be applicable?

Hello everyone 👋!
I have a quick question regarding the room: Azure: Can you GA?
I task 5, I am not able to find the last questions asnwer and would like to require a hint on where to find it.
For me, under "App roles" says: no app roles have been added. Any other way to find this?

Sadly no, and would really need it to complete the path haha

im having the same issue, still didnt quite figure it out

also this one in MS sentinel just looking:

reset the env and it still came back

i think so

You around by chance @runic plover?

Yasss. Whats up?

I'm about to change the settings for the XDR: Operation Global Dagger to be accesible also with the cloud addon. Just one question: If you try access the room, what kind of screen do you receive? Like something along the lines of saying "You need a business subscription", or something else? Or even just a blank screen?

https://tryhackme.com/room/xdroperationglobaldagger

Just this currently

(Sorry on company PC, no discord allowed lol)

And what if you click on join room at the top right?

It just loops to the same.

Gotcha, thanks

Gave +1 Rep to @runic plover (current: #274 - 34)

Anytime Bo$$

Exactly

Room should now be accessible to cloud addon users @runic plover 🙌

It works! Thank youuu! Was it business only until now?

Gave +1 Rep to @radiant kiln (current: #5 - 1908)

Yes

Very nice!

Hopefully I can figure out all the questions for the above to complete the path in 4 days lol

Good luck 😄

cc @sharp wasp

I think you also asked about that. Should be accessible to cloud addon users now

@radiant kiln i don't know if you are the right person to contact in these cases, but we have reached the 30th of September, meaning 2FA is required for Azure tenants. This means that we need to set up 2FA for each lab, is it OK to you a personal Auth app? Or will that not allow other people to login later?

Also, this takes time to do for each lab, meaning it already takes a lot of time to injest logs and wait for incidents, this is even longer. From the 1 hour window you loose around 15-20 minutes now just waiting 😅

Also, for all Incident analysis rooms ( MS sentinel: Just looking etc) all incidents have been moved to Microsoft Defender as well lol
Meaning room walk-throughs can become out of date very fast. An update on these would be appreciated

Also, the new room XDR: Credential Access has not been added to the Azure path yet, but is accessible. Could someone please add it to the path? Thx in advance. 🙂

Yes, actually I thought the MFA postponing includes September 30th and the enforcement only starts on October 1st. At least that's how I read it on the Microsoft articles. Unfortunately there is no way around it anymore, meaning everyone has to add MFA to the account that is getting spun up. For all rooms that previously had a shared account, we are trying to implement the same credential generation as for the remaining rooms.

For the remaining points, I have to looking into it first

Yep, sadly the MS Sentinal: Just looking room is now impossible to complete as there is no access to Defender (not allowed by the administrator) 😞

OK, so I was able to complete the room, although not as intended.
After spinning up the tenant, logging in generating both alerts and then the incidents, all investigation needs to be done in MS sentinel, that is not available anymore as it gets directed to Defender.
Here for me at least, only one incident was generated not all of them as needed, but they are available as alerts.
Due to these being alerts only, they do not contain all the information needed for the investigation, only core data.
But... if you go to the alert you want to investigate > open it > scroll down > Query results and open the tables, you can get all the information needed from this to answer the tasks.
To get an ever nicer view, you can copy the "view query" data and open a search in MS Sentinel > Logs > KQL section.

Hope this helps 🙏 someone 😊

But the room deff needs to be updated to show/contain defender screenshots etc

Thank you for adding the instructions and moving the room as requested 🙏

Gave +1 Rep to @radiant kiln (current: #5 - 1909)

No worries and thanks for bringing it up 🙏 For the Just Looking room, we are currently looking into it to see if it might be a "quick fix" or some major revamp is needed

Gave +1 Rep to @runic plover (current: #267 - 35)

Sooo we have to add MFA to the accounts?

we can use our own devices?

Yes, it needs to be set-up on your own device per account and per room. Then after it can be deleted

So I checked the Apps and App registration pages ti determine after checking the user. But still can not figure it out lol
App roles is empty for me, so is roles and administrators

Found it.... it took me way to long. But did it haha
For anyone wondering, PRA helps a lot!

thanks!

Gave +1 Rep to @runic plover (current: #256 - 36)

Im stuck on the same one, thanks for the tip. im going crazy

If help is needed please dm, happy to help if you can't find it with the hint

Just reporting that Lab 3(Task 7) in https://tryhackme.com/room/sentinelingestdata still also has the CA policy to enforce MFA - really not a great user experience to have to have to enroll - thankfully can just look at screenshots or figure answers out

Microsoft now no longer allows postponing of the mandatory MFA enforcement. So unfortunately it's not on our end to control that any more. The mandatory MFA enforcement started on October 1st.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet

hello, for clarity..to access the labs and complete this path requires the cloud license for $375?

Yes, or a business subscription

got it. thanks

Gave +1 Rep to @radiant kiln (current: #5 - 1910)

@radiant kiln same "issue" with the newly released room "XDR: Operation Global Dagger 2" (https://tryhackme.com/room/xdroperationglobaldagger2)
it is not listed under the cloud subscription, although it is accessible it seems. Could you please add it to the track?

Done, thx 👍

Gave +1 Rep to @runic plover (current: #250 - 37)

I have previously subscribed to and completed an Azure Pass. I'm not a petrol tycoon so I can't afford to pay $375 for an additional room...

Howdy. n00b here. I just completed Defending Azure and found another random room that I'm stuck on. It's overly-simple until the exploit stage. Not asking for the answer, but I would really like to know how to take the known password in (Azure: Eyes Wide Shut) to be able to get the flag. Any hints or help would be appreciated.

If the answer is: learn how to Red Team, n00b, that's totally acceptable.

is there any way to remove this? since these are limited to the bussiness license. now i cannot complete the learning pathj

Done!

Is it expected that the KQL lab is trying to force me to setup 2FA for the provided [ephemeral] Azure identity...?

If anyone else gets stuck here, you can use Cyberchef to generate the codes:
|| DO NOT USE FOR ANY ACCOUNT YOU MAY EVER WANT TO GET BACK INTO ||
||https://gchq.github.io/CyberChef/#recipe=Generate_TOTP('',6,0,30)||

And now I'm in, but more errors 🙃 (Lab for https://tryhackme.com/room/kqlkustobasicqueries)

An error occured when trying to fetch resources. Additional details from the underlying API that might be helpful: Please provide below info when asking for support: timestamp = 2025-10-25T01:40:39.0818005Z, correlationId = 8fbfbd82-5ea8-4fd7-9eeb-8912a5fa13c1. (Code: AccessDenied) Access is denied to the requested resource. The user might not have enough permission. (Code: AccessDenied) Try refreshing the page. Your resources aren't affected by the issue, we're just having trouble showing this view right now. To see a list of resources, select Simplified View.

Anyone seen/got past this before?

Looks like MFA is expected

Yes it is

microsoft is enforcing MFA for all accounts

I'm having the same issue I just downloaded a temp authenticator app(mauth by xinto) for these temp logins. after i'm done with lab I'll try to remove the MFA

TBH I'd stick to something reputable like Microsoft or Google or even Twilio's Authy.
You can always go the route of an Android Emulator to run a native app, or use a Python library to take a seed and generate a TOTP 🤷‍♂️

i would just use microsoft authenticator

So we can't connect the Microsoft Sentinel Workspace to Microsoft Defender?

i actually wanted to say that i have an annual subscription and i need to pay more money to access the cloud related rooms...

so annoying

Does anyone have a walkthrough for the Eyes Wide Shut room? I am getting stuck on the 3 to last step.

Did they change the tables in the Azure KQL demo?

I dont see the tables they are talking about in the KQL rooms

Can anyone verify the kennethallen password still works for the can you ga? room

The Azure DevSecOps room pipeline is failing because the Azure serive connection is using a service principal with an expired client secret

XDR: Operation Global Dagger I so no incident 49

*see

Did you get any help with this? I am struggling with the flag

What part you guys stuck on?

I did. PM me with which step you’re stuck in. I kept notes.

HI , please someone if can help me, I am in room KQL (Kusto): Basic Queries , but whn i am trying to serach for the Log Analytics workspaces I am getting thsi info Please provide below info when asking for support: timestamp = 2025-11-27T16:50:49.9426659Z, correlationId = a430ef7c-bea6-4fa0-b35e-e879ebfda100. Try refreshing the page. Your resources aren't affected by the issue, we're just having trouble showing this view right now. To see a list of resources, select Simplified View., is there anything els, what I should do?

I'm trying to work through XDR: Defense Evasion and Task 4 wants me to investigate an Attempt to turn off Microsoft Defender Antivirus protection incident. However, there is no such incident in the lab; I see 12 incidents and none have that title. I similarly can't find any alerts like that

This means I can't answer the question "What is the value in the Malware detected field?", because I can't find an alert to check the field

Eventually I solved this by just finding out what the default value for the field is by looking at other logs, but that doesn't seem like the intended solution

In the MS Entra ID: Introduction room how long does it typically take to request a tenant environment? Although it said that it can take up to 5 days, I'm hoping for a quicker deployment.
https://tryhackme.com/room/entraidintroduction

Nice job THM team on skirting the MFA-setup hurdle 🥳
(Temporary passwords seems to be working nicely 💪 )

Anyone else having issues with the Azure Rooms: Eyes Wide Shut and Hoppity Hop. The problem I am having is the Lab is not deploying

Azure lab environment looks to be down, any THM support able to assist?

Yea, down for me as well

It’s now also requiring mfa setup…

Did you ever get confirmation here? The password I found works for a different user but they have MFA setup so I can’t actually auth

Same when I did it

🙁

Got the same problem on Azure rooms eyes wide shut and hoppity hop. Cannot deploy lab. Can login into Azure, tried edge en firefoox but deploy lab gives keeping errors. I emailed support yesterday, hopefully they will fix it soon.

Sent this onto the team and I believe it’s fixed now. Sorry for the hassle.

hii

anyone help me Azure: Can you GA?

@inland parcel could you please help me in kql in one task

What is the issue ?

Yep looks to be fixed thank you

Gave +1 Rep to @young canopy (current: #306 - 32)

@inland parcel hi, can you remove MFA on the accounts, it asks me to setup mfa…

Hi I am interested in doing Defending Azure lab. But when I try to do the implementation of Microsoft Sentinel it ask me to purchase the labs $35 per month single seat

Thanks, it works now 🙂

Gave +1 Rep to @young canopy (current: #287 - 35)

No i can't . Reach out to support on the email below

Hello guys anyone can help on the room Azure:Can you ga?

Task 4

Which administrator role assignment of the target app can be abused for privilege escalation?

On this question when i go the administrator role of the target app it not match with the answer

Question: Can I buy the $35 Teams plan as an individual instead of the expensive $329 plan? There's this team's plan which seems to be a lot cheaper compared to the 3 month plan. So can I buy this as an individual to get access to the Cloud path?

IIRC there's a minimum # of seats for any business plan - team up with friends?

thanks

Gave +1 Rep to @trail pagoda (current: #150 - 70)

Btw

I cannot find any logs data for KQL labs labs even for the last two months

nothing returning for the last 100 days even

When I try to go to Microsoft Sentinel, I get this error:

An error occured while trying to fetch resources.

this is the error:

An error occured when trying to fetch resources. Additional details from the underlying API that might be helpful: Please provide below info when asking for support: timestamp = 2026-02-08T08:52:12.2838041Z, correlationId = aafedc6c-5b42-4f6e-87ab-a5f6cb116397. (Code: AccessDenied) Access is denied to the requested resource. The user might not have enough permission. (Code: AccessDenied) Try refreshing the page. Your resources aren't affected by the issue, we're just having trouble showing this view right now. To see a list of resources, select Simplified View.

Is anyone able to access anything today?

Is there an All time option?
IIRC the Azure stuff came out ~1y ago

for a different lab I was able to see data

hey guys, quick question about the Azure Defending Pathway. it says something about needing a team plan what does that actually mean?is that different from the normal subscription? and do we have to pay extra for the pathway or is it included in the monthly fee?

Lol, same Issue here. Just asked

Only Teams and Business can now buy the Cloud access ??? Before there was option for add on but now I cant find it....

U got to buy teams plan and add ur own account to the plan, support told me.

🔥

anyone know why the Entra ID section no longer exists ?

It is probably going to be renewed 🙂

One new Entra ID just came out

#1480960709381718237

You mean the entire Azure Entra ID module?

It does exist, but it's for business subscriptions only

Just confirming for those wanting to do these cloud access rooms, we pay for a teams plan and add ourselves as the single seat? Do you need a premium account as well or can I go from free tier -> team plan for the cloud training?

for the ms sentinel: investigate room, the lab section, it said to wait 15 minutes to get things up and running but the deployment page still shows two failed items after 20 minutes. It says failed on alertRules and deploy-workspace-xxxxxx

also for this room investigate and detect, i keep seeing that maximum rules count per tenant exceeds allowed limit. I see other people a year ago had the same issue. what does this mean and can i complete any of these labs?

Anyone can help?

Someone know how to join lab in Azure DevSecOps? it is failing with ecd26695a1a84b17a0e8397cefe35bc0 error id

anyone knows why it takes 3 weeks to get a tenant populated ?

Just got the teams package. I’m trying to do the sentinel one. Am I supposed to do the whole thing in one sitting? Or when I start a new lab should it deploy with the required resources already built?

You will have a guide for each task you follow then you proceed

could I get a nudge fo Can you GA? pls

Hello,

I'm currently doing the "XDR : Privilege Escalation" (path Defending Azure > Microsoft Defender XDR )
https://tryhackme.com/room/xdrprivesc

The exercise to play in the lab is supposed to be done on the incident type of "Multi-stage incident involving privilege escalation", to have a look at the "UAC bypass was detected" alert, but this incident isn't present on the list, neither the alert.

Is there anyone who faced this issue, too?

I have same issue. Anyone who can help?

I have been working all weekend to complete the Azure Tapper challenge. I have been unsuccessful in setting up the MFA for Gumby. It seems to have been previously used, which may be preventing me from assuming Gumby. Can anyone reset the IAM config so that I can try to complete the challenge today?

Same issue here

I've found a way to skip the lab.
One answer can be found in picture and the other one with Google.

Just ask Echo..

Anyone?

Can you reset the MFA?

No..

Same issue here, how to solv it or skip? Thanks

Same issue as well been struggling a whole week with that mfa 😭

I just have contacted THM regarding this room , this is a hint: "The intended way to solve this challenge is through the CLI to bypass this". Good luck!

I have solved it.

How? Could you give us some hints?

The web is rampant with write-ups, scroll line/line if you want to minimize spoilers

I am having this same issue. Any recommendations on how to resolve this ?