Triage: Risky Click

So we know our user, Jose Delagarza, browsed to the suspect URL, but did the file
“Critical_Security_Path.docx” get downloaded to their computer? We can pivot into our
FileCreationEvents table to see if any files by this name were created on hosts in our
environment.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 6//
Did the user download the file “Critical_Security_Path.docx”?

tag=envolvelabs2-FileCreationEvents words "Critical_Security_Path.docx"
| ax
| sort by time asc
| table

//Query 7//
What happened next on the user’s machine (4AHX-DESKTOP)? (after 2022-01-09
07:59:33.749981)

tag=envolvelabs2-FileCreationEvents ax hostname=="4AHX-DESKTOP"
| sort by time asc
| table

TOP