Now, that we’ve talked about using theSearch operator in Part 4to answer those three basic SOC analyst questions of: 1) Does it exist? 2) Where does it exist? and, 3) Why does it exist?, we can take that learning and the results of that type of query and meld it with the standard search query structure I talked about inPart 3.
Inpart 4, I ended with a query to locate activity by a user called “rodtrent“. I found that thisrodtrentperson had performed potentially strange activity in the OfficeActivity table (the table for Office 365 activity) that needs to be checked out. As shown, thesearch operatoris a powerful tool to find things of interest. The results of the search operator query was thousands of rows of data. That’s inefficient.
So, now that we’ve found something interesting, we want to use the structure of the Search Query to pare down the results to minimize the effort and workload to identify that thatsomething interestingis actually something notable and worth investigating.