Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
Let’s begin our triage with a report from an external vendor that was referred to the security operations center for triage. This intelligence assessed with high confidence that the presence of “notice[.]io” in *any* telemetry within an organization is indicative of threat actor targeting.
Key: Set time scope to 09/01/2019 -> 01/01/2022
// Query 1 //
Broad Search through all data sources for our indicator (no need to actually parse the underlying data to search through it!)
tag=envolvelabs2-* grep “notice.io”
| table TAG DATA