All Lessons
Skillset Training
Part 0: Introduction - Video 1
Part 1: Understanding A Query - Video 2
Part 2: Operating on Enumerated Fields - Video 3
Part 3: Interacting with Enumerated Fields - Video 4
Part 4: A High Level View - Video 5
Part 5: Advanced Operating on Enumerated Fields - Video 6
Part 6: Finding The Victims - Video 7
Part 7: Hunting For A Phish - Video 8
Platform basics
How-To: Compound Queries & Non-Temporal Joins
Bootcamp course
Bootcamp - Lesson 01
Lessons/Skillset Training/Part 7: Hunting For A Phish - Video 8

Part 7: Hunting For A Phish - Video 8

At first glance, this query can seem extremely complicated. But by breaking down each
component we can understand that this is a very straightforward iteration on the queries we
have been building throughout the video!

Query 16:
Querying across tables to render a meaningful result: who got phished?

@usermap {
tag=envolvelabs-Employees ax ip_addr == "192.168.2.83"
| table -nt ip_addr name username
} ;
tag=envolvelabs-OutboundBrowsing ax method == "POST"

| lookup -s -r @usermap src_ip ip_addr ( name username )
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table timestamp src_ip name username method domain url user_agent

Query Bonus (17):
Search all tags for the given pattern

tag=envolvelabs-* grep "illness.med";
| table TAG DATA
Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
TOP