Grapl includes models for relationships between processes and network connections.
You can leverage Grapl to model complex relationships between various types of events in your environment like a processes that's making network connections on an endpoint owned by a particular user in your environment.
Grapl ships with built-in plugins so it’s ready to use with common data sources like process, asset, or users, or you can write custom plugins for events specific to your environment.
Grapl ingests your raw logs
Parses and supports any log inputs like osquery and sysmon, extracting out underlying information
Builds a unified graph data structure that represents all of the entities and behaviors in your network
Exposes that graph for analytics
You write attack signatures in Python
Abstract data regardless of the source
Build up a set of tools for querying the graph
Programmatic contexting of signatures
You can use it for for follow-up actions like custom additional contexting or notification actions.
Grapl detects suspicious activities other SIEMS can't in graph
Automatically send alerts to your D&R team
Responders can investigate the attack visually and in Jupyter notebooks
Correlate attacker behaviors at a glance
You catch attackers
Start off with a small, suspicious graph
Encompass the full scope of an attacker’s behaviors
Gives detection engineers control over how they want to explore their logs
Features
Built by security engineers for
professional security teams
Graph-Based Queries
Catch attackers in your environment faster with more powerful, contextualized detection logic.
Confidence in Alerts
Express complex attacker behavior as a graph, and unit tests, linters, and static typing to your attack signatures.
Risk Based
Grapl leverages a risk based approach instead of
a binary black-and white alert based approach, eliminating the concept of false positives altogether.
Pluggable
Extend Grapl to represent all of your data using our plugin system.
Notebook Investigations
Leverage powerful data science tools like Jupyter notebooks for your investigations.
Code First Detentions
Build summary risk profiles using Python Programming Language to investigate suspicious activity in your environment.
Grapl lets you meet your working needs.
Working with security logs is a massive time sink that takes away time that you should be spending building new attack signatures and catching attackers.
Grapl cuts out tedious data-fighting work for you by cleaning and joining raw logs that get exposed as a powerful graph which represents all of your entities and behaviors across your environments.
Frequently asked questions
Can Grapl support my custom data sources?
Grapl provides plugin capabilities that can be leveraged to parse arbitrary datasources - you have the full power of code at your disposal to parse even the most complex data formats, leveraging open source libraries to do so.
Does Grapl come with any detection rules out of the box?
We build detection rules and open source them based on our own usage or user feedback. Some rules may only be available to customers upon request, and we're happy to assist customers who are looking to detect attacks we don't yet cover. You can find a set of Grapl detection rules
here.
How does Grapl compare to other SIEMs?
Grapl is truly different from the rest of the SIEM marketplace. We're the only SIEM that provides a code and API first approach with powerful graph analytics, enabling detection that are hard or impossible in other SIEMs
When will I be able to use Grapl?
We're hard at work to make sure that Grapl is efficient, effective, and as secure as it can be. We expect to release in early 2022 - reach out for more details or if you're interested in being an early adopter.