Hello and welcome to “Down The Well” with Gravwell where we explore use cases and scenarios that readily apply to real-world security analysis. In this six part video series, we are going to walk through basic operations within Gravwell query studio that an analyst might rely on when exploring their data. We will gradually step up in complexity throughout this video and ultimately illustrate a common workflow that many SOC analysts are familiar with: hunting for a phish. We will be using data from KC7 which can be found at https://kc7cyber.com/.
The purpose of this content is to step through basic, common queries that a Security Operations Center analyst might use when trying to orient themselves to their data sources. We will use a series of exploratory queries on tabular data that has been setup with an auto extractor in advance. It is intentionally basic but builds up some basic, important tooling that any analyst will love to have available. We will ultimately build up to a common use case of hunting down the results of a phishing email.