# Three Things to Try with Spyderbat Community Edition

<mark style="color:blue;">Published: August 22, 2021</mark>

OK, you installed your first Spyderbat Nano Agent ([How-to Install the Spyderbat Nano Agent](/installation/spyderbat-nano-agent.md)). Now what?

### 1) Look at the last hour of activity

If you just installed the Spyderbat Nano Agent, you will see the system as a source on the **Sources** screen.

Click **Open In Search** on the source to query activity from that system, then search for Spydertraces.

### 2) View Your Own Activity

Do you still have a terminal open from when you installed the agent? If not, log back into the system you installed the agent on.

Run some simple Linux commands;

```
>clear
>id
>ls -la
> cat .profile
> whoami
> exit
```

Let's jump back to the Spyderbat console.

Under **Search**, click on the **End Time**, select the ‘**Now**‘ button to update the End Time to the current time, and then select the ‘**Run New Search**‘ button.

That query brought in records for the requested time period as a new Data Layer.

Look in the **Records** table for your recent activity. Click the **star icon** to the right of a record to add it to the **Causal Tree**, or click **Add All** to add everything.

Find your session in the **Records** table — it will show your bash shell and login user. Right-click on the bash shell process node in the **Causal Tree** and select **Search For Child Processes** to load the commands you ran.

For more details on using the Investigation view, see [Investigations](/concepts/flashback/investigations.md).

The Causal Tree updates to displays all commands (and processes) that are immediately causally connected to the bash shell. I also see the processes selected in the records table when I view the **Records** table **Process** tab.

By selecting the ‘cat’ node in the **Causal Tree** or process name in the **Records** table, the **Details** panel provides additional details such as the filename, the working directory, environment variables, and more!

### 3) View Your First Flag

Do you recall running the ‘whoami’ command? In our **Causal Tree**, it is annotated with a little flag.

Select the ‘whoami’ node in your **Causal Tre**e to view more information from the **Details** panel.

Flags are not the same as alerts. Flags color your Causal Tree with interesting information. The source of a Flag can be third-party alerts as well as other context sources. Spyderbat continuously overlays key security and other context as Flags as they occur.

A single Flag with no causal outcomes is a characteristic of a false positive. A trace of interest will usually include multiple Flags and multiple layers of activity. By viewing alerts and context as Flags, the **Causal Tree** shows you exactly how they are related, the sequence of activities, and any other activity causally connected.

### Other Things to Try

Here are some other great things to try with your Spyderbat Community Edition:

* Have a colleague do some basic admin tasks on a system that has the Spyderbat Nano Agent installed, see if you can figure out what they did in Spyderbat and compare notes with them.
* Install Spyderbat on a Vulnhub VM from [vulnhub.com](http://vulnhub.com/) and hack it, and see what Spyderbat shows. Many of the vulnhub images have walkthroughs if you are not an experienced pentester.
* Stand up a honeypot or similar system on the internet that can be easily exploited to see what Spyderbat captures!
* Want to bring in the rest of the team? Try a red team/blue team exercise where the red team attacks a set of Linux systems, and the blue team defends using Spyderbat!

Thank you and happy tracing!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.spyderbat.com/getting-started/three-things-to-try-with-spyderbat-community-edition.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.