Let’s begin our triage with a report from an external vendor that was referred to the security operations center for triage. This intelligence assessed with high confidence that the presence of “notice[.]io” in *any* telemetry within an organization is indicative of threat actor targeting.
Key: Set time scope to 09/01/2019 -> 01/01/2022
// Query 1 //
Broad Search through all data sources for our indicator (no need to actually parse the underlying data to search through it!)
tag=envolvelabs2-* grep “notice.io”| table TAG DATA