All Lessons
Skillset Training
Detection Engineering
Detection Engineering: Overview
DE Part 1: Pivoting
DE Part 2: Automating Detections & Notifications
SOC: Orienting An Analyst
Part 0: Introduction - Video 1
Part 1: Understanding A Query - Video 2
Part 2: Operating on Enumerated Fields - Video 3
Part 3: Interacting with Enumerated Fields - Video 4
Part 4: A High Level View - Video 5
Part 5: Advanced Operating on Enumerated Fields - Video 6
Part 6: Finding The Victims - Video 7
Part 7: Hunting For A Phish - Video 8
Triage
Triage: Introduction
Triage: A Lead
Triage: Honing In
Triage: Who's Who
Triage: Risky Click
Triage: Execute!
Transitioning: Triage to Investigation
Transitioning: Triage to Investigation - Introduction
Transitioning: Triage to Investigation - Back In Action
Transitioning: Triage to Investigation - Well That’s New
Transitioning: Triage to Investigation - Campaigns
Transitioning: Triage to Investigation - Sweep
Platform basics
FLOWs - How Payloads Move Through Nodes
Flows - SOAR for Log Management
How To: Auto Extractors (AX)
How To: Macros
How To: Actionables
How To: Systems Overview (new features)
How To: Rapid Deployment - Installation to alerts in 3 mins
How-To: Compound Queries & Non-Temporal Joins
Bootcamp course
Bootcamp - Lesson 01
Lessons/Transitioning: Triage to Investigation/Transitioning: Triage to Investigation - Well That’s New

Transitioning: Triage to Investigation - Well That’s New

Detection Engineering: Overview
DE Part 1: Pivoting
DE Part 2: Automating Detections & Notifications
Part 0: Introduction - Video 1
Part 1: Understanding A Query - Video 2
Part 2: Operating on Enumerated Fields - Video 3
Part 3: Interacting with Enumerated Fields - Video 4
Part 4: A High Level View - Video 5
Part 5: Advanced Operating on Enumerated Fields - Video 6
Part 6: Finding The Victims - Video 7
Part 7: Hunting For A Phish - Video 8
Triage: Introduction
Triage: A Lead
Triage: Honing In
Triage: Who's Who
Triage: Risky Click
Triage: Execute!
Transitioning: Triage to Investigation - Introduction
Transitioning: Triage to Investigation - Back In Action
Transitioning: Triage to Investigation - Well That’s New
Transitioning: Triage to Investigation - Campaigns
Transitioning: Triage to Investigation - Sweep
FLOWs - How Payloads Move Through Nodes
Flows - SOAR for Log Management
How To: Auto Extractors (AX)
How To: Macros
How To: Actionables
How To: Systems Overview (new features)
How To: Rapid Deployment - Installation to alerts in 3 mins
How-To: Compound Queries & Non-Temporal Joins
Bootcamp - Lesson 01

From our previous triage efforts, we should recognize that the machine “NZ6J-LAPTOP” was
not seen in our initial investigation, therefore we should dig into how “infector.exe” ended up on
it! Let's pivot back into the machine’s FileCreationEvents data to see if we can determine how
the malicious binary was delivered.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 3//
Lets pivot back into the machine (NZ6J-LAPTOP) to see if there are any interesting
files

tag=envolvelabs2-FileCreationEvents ax hostname=="NZ6J-LAPTOP"
| sort by time asc
| table

//Query 4//
Where did the file “IT_PASSWORD_RESET_TOOL.zip” come from, thats different
than what we saw on “4AHX-DESKTOP”

tag=envolvelabs2-OutboundBrowsing ax
| words "IT_PASSWORD_RESET_TOOL.zip"
| table

//Query 5//
Lets correlate our second victim machine “NZ6J-LAPTOP” back to an employee
identity and assigned IP
NOTE: Assignment of IP to this Machine is in 2018-10-04!

tag=envolvelabs2-Employees ax hostname=="NZ6J-LAPTOP"
| table

//Query 6//
Lets pivot on the newly discovered URL “updatesoftware.com” that we saw
delivering a link with “IT_PASSWORD_RESET_TOOL.zip”

tag=envolvelabs2-Email ax
| grep "updatesoftware.com" "security.info"
| table
Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
TOP