Fill Gaps In Data With Enrich

Sometimes data has gaps that make processing difficult, such as key/value data that omits fields when there is no data to populate in that field. Enrich allows you to fill in any missing fields that...

Hosts Making A Lot of DNS Requests

This query uses Zeek DNS logs to see which hosts on your network are making the most DNS requests. Although simple, it does a good job of demonstrating the ax, stats, and alias modules. here…...

Detect DNS Beaconing

This query looks at CoreDNS log data to identify beaconing, where a system periodically reaches out to an Internet host to check in. It can be a useful way to identify malware... or a Photoshop...

Failed Sudo Attempts

Who wishes they had sudo access? Who has sudo access but always fat-fingers their password? This query will help you answer these burning questions and maybe find somebody doing something sneaky. The...

Hosts that have both succeeded and failed at SSH logins

Any IP which succeeds at logging in via SSH after a failed login attempt is worth a look--it could indicate that a brute-force attempt has succeeded. This query builds up a table of successful SSH...
Windows External Storage Audit

For this week we are going to look at external storage auditing in Windows.  This query shows a nice succinct table of file activity on external storage, which is a great way to monitor external...

WTF Windows!?!?! Diving into the absurdity of Windows Event Logs

In our first part of the WTF Windows!?!?! Query of the Week, we are going to jump into a fun hunt.  Long story short, we had some system applications that were hanging, Windows has an event for this...

Traffic Volume by DNS Name

This query uses a compound query to create a temporary DNS cache over the given time window, and then reference netflow traffic to it, creating the ability to sum byte counts from netflow by DNS...

Monitor Daily Temperature Swings

This query uses data from the Weather Kit to see how much the temperature changed each day -- the difference between the daily low and the daily high. Due to the format we get from openweathermap, we...

Squirrel Sightings in Central Park, NY, NY

Whether you’re crunching petabytes of network data for security and threat hunting purposes, OR tracking squirrel sightings in Central Park, the Gravwell data lake can handle it. 🐿️ This query...
