# Demo notes

```graphql
{
  Node(func: eq(type, "matcher")){
    id
    target
    type
    full
    nodes {
      uid
      full
    }
  }
}
```

```graphql
{
  Node(func: has(nodes)  ) {
    uid
    type
    target
    timestamp
    nodes {
      uid
      type
      full
      hostnames

    }
  }
}
```

## Notes

* There is TOO MUCH junk data
* Upsert is not optimal
* What do we do with the data so it can be exploitable by analysts
* Sould we store matched data in an SQL-like db?


## TDH

* patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
* any canonical name that is a IP address and not a domain name