Automated Correlation

Most systems in the past have focused on binary “Good" or “Bad" determinations with an alert based system on top of them. This approach forces detection engineers to spend all of their time maintaining whitelists, because the cost of a signature matching benign behavior can be significant.


Grapl throws this binary model away. Instead, it provides a gradient risk based system, with automated correlation to build up risk profiles. By providing a concept of risk detection engineers can focus on modeling attacker behavior, rather than modeling every single possible user behavior - rather that constantly maintaining whitelists, or disabling alerts altogether, you can simply adjust your risk score.


Every analyzer in Grapl has an associated risk score. Grapl will automatically correlate the outputs of individual analyzers together to create a composite risk score for the asset, user, or any other specified correlation points.


Here we can see the composite risk where our correlation point is a user’s desktop machine. cmd.exe is involved in two distinct analyzers, svchost.exe and dropper.exe, and so its risk score is significantly higher than just the discrete risks of those two analyzers.

Screenshot 2021-02-27 at 8.29.11 PM.png

By increasing risk based on overlapping analyzer outputs Grapl’s correlation will quickly lift up particularly suspicious behaviors, and benign, one-off user behaviors will fade into the background. This means no more wasted time triaging endless false positives, no more maintaining massive whitelists, and more time to focus on truly suspicious behaviors.