# Demo notes

```graphql
{
  Node(func: eq(nodeType, "matcher")){
    id
    target
    nodeType
    full
    nodes {
      uid
      full
      meta {
        full_url
      }
    }
  }
}
```

```graphql
{
  Node(func: has(nodes)  ) {
    uid
    nodeType
    target
    timestamp
    nodes {
      uid
      type
      full
      hostnames

    }
  }
}
```

```graphql
{
  Node(func: eq(nodeType, "certstream")){
    id
    nodeType
    certNode {
      cn
      sourceName
      fingerprint
      notBefore
      notAfter
    }
    }
  }

```

## Notes

* There is TOO MUCH junk data
* Upsert is not optimal
* What do we do with the data so it can be exploitable by analysts
* Sould we store matched data in an SQL-like db?


## TDH

* patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
* any canonical name that is a IP address and not a domain name