Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
While analyzing our initial results, we can assess from the timestamps contained in the raw data that the “Email” events preceded the “OutboundBrowsing” event. This is a logical assessment as Email is a very common vector to drive users to browse to specific domains. So, we’ll start by digging into our email data first.
//Query 2//
Focused search on the Emails table
tag=envolvelabs2-Email grep "notice.io"
| ax
| table
//Query 3a//
Who clicked the suspect link, using grep
tag=envolvelabs2-OutboundBrowsing grep "notice.io"
| ax
| table
//Query 3b//
Who clicked the suspect link, using a field comparison
tag=envolvelabs2-OutboundBrowsing ax url~"notice.io"
| table