At first glance, this query can seem extremely complicated. But by breaking down each
component we can understand that this is a very straightforward iteration on the queries we
have been building throughout the video!
Query 16:
Querying across tables to render a meaningful result: who got phished?
@usermap {
tag=envolvelabs-Employees ax ip_addr == "192.168.2.83"
| table -nt ip_addr name username
} ;
tag=envolvelabs-OutboundBrowsing ax method == "POST"
| lookup -s -r @usermap src_ip ip_addr ( name username )
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table timestamp src_ip name username method domain url user_agent
Query Bonus (17):
Search all tags for the given pattern
tag=envolvelabs-* grep "illness.med";
| table TAG DATA