Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
Let's use some of our newly learned query skills, and introduce some complimentary new ones, to see if we can catch a phish!
Query 12:
Ensure recipients are only counted once as we want to answer how many different recipients received messages from a each sender_domain
tag=envolvelabs-Email ax recipient ~ "envolvelabs.com" sender
!~ "envolvelabs.com"
| fields -e sender -d "@" [ 1 ] as sender_domain
| unique sender_domain recipient
| count by sender_domain
| sort by count desc
| eval count
Query 13:
Use a partial match of the url field to find entries with our domain of interest
tag=envolvelabs-OutboundBrowsing ax url ~ "illness.med";
| table
Query 14:
Extract the domain out of a url and search for a particular pattern within the new enumerated field
tag=envolvelabs-OutboundBrowsing ax
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table
Query 15:
Adding a filter to see only users that issued an HTTP POST request
tag=envolvelabs-OutboundBrowsing ax method == "POST"
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table