Triage: A Lead


Let’s begin our triage with a report from an external vendor that was referred to the security operations center for triage. This intelligence assessed with high confidence that the presence of “notice[.]io” in *any* telemetry within an organization is indicative of threat actor targeting.

Key: Set time scope to 09/01/2019 -> 01/01/2022

// Query 1 //

Broad Search through all data sources for our indicator (no need to actually parse the underlying data to search through it!)

tag=envolvelabs2-* grep “”
| table TAG DATA