All Lessons
Skillset Training
Detection Engineering
Detection Engineering: Overview
DE Part 1: Pivoting
DE Part 2: Automating Detections & Notifications
SOC: Orienting An Analyst
Part 0: Introduction - Video 1
Part 1: Understanding A Query - Video 2
Part 2: Operating on Enumerated Fields - Video 3
Part 3: Interacting with Enumerated Fields - Video 4
Part 4: A High Level View - Video 5
Part 5: Advanced Operating on Enumerated Fields - Video 6
Part 6: Finding The Victims - Video 7
Part 7: Hunting For A Phish - Video 8
Triage
Triage: Introduction
Triage: A Lead
Triage: Honing In
Triage: Who's Who
Triage: Risky Click
Triage: Execute!
Transitioning: Triage to Investigation
Transitioning: Triage to Investigation - Introduction
Transitioning: Triage to Investigation - Back In Action
Transitioning: Triage to Investigation - Well That’s New
Transitioning: Triage to Investigation - Campaigns
Transitioning: Triage to Investigation - Sweep
Platform basics
FLOWs - How Payloads Move Through Nodes
Flows - SOAR for Log Management
How To: Auto Extractors (AX)
How To: Macros
How To: Actionables
How To: Systems Overview (new features)
How To: Rapid Deployment - Installation to alerts in 3 mins
How-To: Compound Queries & Non-Temporal Joins
Bootcamp course
Bootcamp - Lesson 01
Lessons/SOC: Orienting An Analyst/Part 2: Operating on Enumerated Fields - Video 3

Part 2: Operating on Enumerated Fields - Video 3

Detection Engineering: Overview
DE Part 1: Pivoting
DE Part 2: Automating Detections & Notifications
Part 0: Introduction - Video 1
Part 1: Understanding A Query - Video 2
Part 2: Operating on Enumerated Fields - Video 3
Part 3: Interacting with Enumerated Fields - Video 4
Part 4: A High Level View - Video 5
Part 5: Advanced Operating on Enumerated Fields - Video 6
Part 6: Finding The Victims - Video 7
Part 7: Hunting For A Phish - Video 8
Triage: Introduction
Triage: A Lead
Triage: Honing In
Triage: Who's Who
Triage: Risky Click
Triage: Execute!
Transitioning: Triage to Investigation - Introduction
Transitioning: Triage to Investigation - Back In Action
Transitioning: Triage to Investigation - Well That’s New
Transitioning: Triage to Investigation - Campaigns
Transitioning: Triage to Investigation - Sweep
FLOWs - How Payloads Move Through Nodes
Flows - SOAR for Log Management
How To: Auto Extractors (AX)
How To: Macros
How To: Actionables
How To: Systems Overview (new features)
How To: Rapid Deployment - Installation to alerts in 3 mins
How-To: Compound Queries & Non-Temporal Joins
Bootcamp - Lesson 01

While it's great to be able to explore the shape of our data, as security analysts we often have
questions we need to ask. To help us question our data, we’ll explore some additional
processing modules that operate on fields enumerated with our extraction module. We will
also add optional parameters to our rendering module to further refine the data stream we
review.

Query 2:
Using the count [Math Module] to determine how many unique employees we have

tag=envolvelabs-Employees ax
| count by name
| table count

Query 3:
Using the unique module to view distinct values of a column, we’ll do usernames this time and add an alphabetical sort

tag=envolvelabs-Employees ax
| unique username
| sort by username asc
| table username

Query 4:
What if we want to know the breakdown of peoples’ roles from the data we have available in our data source?

tag=envolvelabs-Employees ax
| count by role
| table role count

Query 5:
Charting - Wouldn’t it be neat to see that as a pie chart?

*note: need to change visualization type, use “ visualization options ” cogwheel after the chart
is rendered*

tag=envolvelabs-Employees ax
| count by role
| chart count by role
Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
TOP