Part 6: Finding The Victims

Detection Engineering: Overview

DE Part 1: Pivoting

DE Part 2: Automating Detections & Notifications

Part 0: Introduction - Video 1

Part 1: Understanding A Query - Video 2

Part 2: Operating on Enumerated Fields - Video 3

Part 3: Interacting with Enumerated Fields - Video 4

Part 4: A High Level View - Video 5

Part 5: Advanced Operating on Enumerated Fields - Video 6

Part 6: Finding The Victims - Video 7

Part 7: Hunting For A Phish - Video 8

Transitioning: Triage to Investigation - Introduction

Transitioning: Triage to Investigation - Back In Action

Transitioning: Triage to Investigation - Well That’s New

Transitioning: Triage to Investigation - Campaigns

Transitioning: Triage to Investigation - Sweep

FLOWs - How Payloads Move Through Nodes

Flows - SOAR for Log Management

How To: Auto Extractors (AX)

How To: Macros

How To: Actionables

How To: Systems Overview (new features)

How To: Rapid Deployment - Installation to alerts in 3 mins

How-To: Compound Queries & Non-Temporal Joins

Bootcamp - Lesson 01

Let's use some of our newly learned query skills, and introduce some complimentary new ones, to see if we can catch a phish!

Query 12:
Ensure recipients are only counted once as we want to answer how many different recipients received messages from a each sender_domain

Query 13:
Use a partial match of the url field to find entries with our domain of interest

tag=envolvelabs-OutboundBrowsing ax url ~ "illness.med";
| table

Query 14:
Extract the domain out of a url and search for a particular pattern within the new enumerated field

tag=envolvelabs-OutboundBrowsing ax
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table

Query 15:
Adding a filter to see only users that issued an HTTP POST request

tag=envolvelabs-OutboundBrowsing ax method == "POST"
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table