Four Tips to Improve Your Search by Enhancing Your Query's Structure

Parts of a Query A short but important post today - we’ll go over four easy tips and tricks for improving your search performance by putting a little thought into how you structure your query. But...

What's in a sysmon event - eventid 5, process termination

Sysmon Eventid 5 - Process Termination This article pairs especially well with the Sysmon Process Creation blog post. We recommend you start there.

Slice it Like Roast Beef: Parsing Raw ARP Messages in Gravwell

One of Gravwell's great strengths is binary ingest: you can store things like raw packets, then parse them later when you know what you want to extract. This came in handy recently when I set up IPv6...

