Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
Fortunately, we know the data that contains the static ip assignments given to our employees is
contained in the “Employees” table. WIth this knowledge we can query that table for the missing
identifiers that we need.
//Query 4//
Correlating src_ip (src_ip == 192.168.2.83) to our employee table for a username
tag=envolvelabs2-Employees words "192.168.2.83"
| ax
| table
//Query 5//
Correlating src_ip (src_ip == 192.168.2.83) using a compound query
@usermap{
tag=envolvelabs2-Employees ax ip_addr=="192.168.2.83"
| table -nt ip_addr name username hostname
};
tag=envolvelabs2-OutboundBrowsing ax url~"notice.io"
| lookup -s -r @usermap src_ip ip_addr (name username hostname)
| table