Grapl – Graph platform for Detection and Response

Grapl is a Graph Platform for Detection and Response with a focus on helping Detection Engineers and Incident Responders stop fighting their data and start connecting it. The tool leverages graph data structures at its core to ensure that you can query and connect your data efficiently, model complex attacker behaviors for detection, and easily expand suspicious behaviors to encompass the full scope of an ongoing intrusion.

Grapl - Graph platform for Detection and Response
Grapl – Graph platform for Detection and Response

Essentially, this tool will take raw logs, convert them into graphs, and merge those graphs into a Master Graph. It will then orchestrate the execution of your attack signatures, and provide tools for performing your investigations. Natively the tool supports nodes for:

  • Processes
  • Files
  • Networking
  • Plugin nodes, which can be used to arbitrarily extend the graph

and currently parses Sysmon logs or a generic JSON log format to generate these graph.

Key Features are:

  • Identity – If you’re familiar with log sources like Sysmon, one of the best features is that processes are given identities. Grapl applies the same concept but for any supported log type, taking psuedo identifiers such as process ids and discerning canonical identities.
  • Analyzers – Analyzers are your attacker signatures. They’re Python modules, deployed to Grapl’s S3 bucket, that are orchestrated to execute upon changes to grapl’s Master Graph.
  • Engagements – Grapl provides a tool for investigations called an Engagement. Engagements are an isolated graph representing a subgraph that your analyzers have deemed suspicious.
  • Event Driven and Extendable – Grapl was built to be extended – no service can satisfy every organization’s needs. Every native Grapl service works by sending and receiving events, which means that in order to extend Grapl you only need to start subscribing to messages.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments