Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
If we are more interested in looking for unusual or uncommon sender domains we can make use of some additional search processing tools within Gravwell to create a new enumerated field derived from data in an existing one.
Query 10:
Extracting data from a field to create a new field using the “ fields ” module
tag=envolvelabs-Email ax recipient ~ "envolvelabs.com" sender
!~ "envolvelabs.com"
| fields -e sender -d "@" [ 1 ] as sender_domain
| count by sender_domain
| sort by count desc
| table sender_domain count
Query 11:
Using “ eval ” to compare values of a field (in this case the result of count)
tag=envolvelabs-Email ax recipient ~ "envolvelabs.com" sender
!~ "envolvelabs.com"
| fields -e sender -d "@" [ 1 ] as sender_domain
| count by sender_domain
| sort by count desc
| eval count