While analyzing our initial results, we can assess from the timestamps contained in the raw data that the “Email” events preceded the “OutboundBrowsing” event. This is a logical assessment as Email is a very common vector to drive users to browse to specific domains. So, we’ll start by digging into our email data first.
//Query 2//Focused search on the Emails table
tag=envolvelabs2-Email grep "notice.io"| ax| table
//Query 3a//Who clicked the suspect link, using grep
tag=envolvelabs2-OutboundBrowsing grep "notice.io"| ax| table
//Query 3b//Who clicked the suspect link, using a field comparison
tag=envolvelabs2-OutboundBrowsing ax url~"notice.io"| table