Triage

We will build on previous videos, such as the SOC: Orienting an Analyst series, and discuss our analytical conclusions in real-time while using Gravwell to facilitate our investigation.

In this video series, we will walk you through a typical Security Analyst workflow: triage. We will utilize multiple data sources and straightforward queries to demonstrate how Gravwell can seamlessly integrate into the investigations required for a Security Analyst to understand the scope of a potential intrusion.

 

Data Sources

https://github.com/KC7-Foundation/kc7_data/tree/main/envolvelabs2

 

Key: Set time scope to 09/01/2019 -> 01/01/2022

// Query 1 //

 

Broad Search through all data sources for our indicator (no need to actually parse the underlying data to search through it!)

 

tag=envolvelabs2-* grep “notice.io”
| table TAG DATA

//Query 2//

Focused search on the Emails table

 

tag=envolvelabs2-Email grep "notice.io"
| ax
| table

//Query 3a//

Who clicked the suspect link, using grep

tag=envolvelabs2-OutboundBrowsing grep "notice.io"
| ax
| table
 

//Query 3b//

Who clicked the suspect link, using a field comparison

 tag=envolvelabs2-OutboundBrowsing ax url~"notice.io"

| table

//Query 4//

Correlating src_ip (src_ip == 192.168.2.83) to our employee table for a username

 

tag=envolvelabs2-Employees words "192.168.2.83"
| ax
| table

//Query 5//

Correlating src_ip (src_ip == 192.168.2.83) using a compound query

@usermap{

 

tag=envolvelabs2-Employees ax ip_addr=="192.168.2.83"
| table -nt ip_addr name username hostname
};
tag=envolvelabs2-OutboundBrowsing ax url~"notice.io"
| lookup -s -r @usermap src_ip ip_addr (name username hostname)

| table

//Query 6//

Did the user download the file “Critical_Security_Path.docx”?

 

tag=envolvelabs2-FileCreationEvents words "Critical_Security_Path.docx"
| ax
| sort by time asc
| table

//Query 7//

What happened next on the user’s machine (4AHX-DESKTOP)? (after 2022-01-09 07:59:33.749981)

 

tag=envolvelabs2-FileCreationEvents ax hostname=="4AHX-DESKTOP"
| sort by time asc
| table

//Query 8//

We found an interesting file that was created after our suspicious document, did it do anything? (after 2022-01-09 07:59:33.749981)

 

tag=envolvelabs2-ProcessEvents ax hostname=="4AHX-DESKTOP"
| sort by time asc
| table