Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
Many environments are instrumented to log Process Execution Events, and ours is no different.
We’ll move over to this data source to see if anything untoward has been executed on the
victim's host.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 8//
We found an interesting file that was created after our suspicious document, did it do
anything? (after 2022-01-09 07:59:33.749981)
tag=envolvelabs2-ProcessEvents ax hostname=="4AHX-DESKTOP"
| sort by time asc
| table