Part 7: Hunting For A Phish - Video 8

At first glance, this query can seem extremely complicated. But by breaking down each
component we can understand that this is a very straightforward iteration on the queries we
have been building throughout the video!

Query 16:
Querying across tables to render a meaningful result: who got phished?

@usermap {
tag=envolvelabs-Employees ax ip_addr == "192.168.2.83"
| table -nt ip_addr name username
} ;
tag=envolvelabs-OutboundBrowsing ax method == "POST"

| lookup -s -r @usermap src_ip ip_addr ( name username )
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table timestamp src_ip name username method domain url user_agent

Query Bonus (17):
Search all tags for the given pattern

tag=envolvelabs-* grep "illness.med";
| table TAG DATA

TOP