SOC: Orienting an Analyst

The purpose of this content is to showcase Gravwell’s query power as part of an in depth investigation into the full extent of a mock intrusion in a simulated environment. The narrative is meant as a follow up to “Triage in Gravwell”, but is ultimately self-contained and will overlap only slightly with Part 1 solely to set the scene. Like Part 1, this video is focused on querying our data in Gravwell and analyzing that data from the point of view of a Security Analyst and/or Incident Responder; thus we will not be breaking down query logic beyond notable changes or optimizations. Viewers will take away from this video an improved understanding of handling larger scope pivoting (beyond the context of a single machine) to generate an overall “big picture” of an active intrusion in support of an investigation.