CONFIDENCE IN ALERTS
It isn’t uncommon for Detection Engineers to build hundreds of attack signatures. MITRE’s ATT&CK Framework alone describes well over one hundred distinct detections, and that’s just the tip of the iceberg. Describing all of these attacks can easily amount to thousands of lines of queries.
SIEMs or other vendor products that use bespoke query languages make managing all of these queries difficult. Concepts like linting, unit tests, code review, or even version control are simply not baked into their systems.
Unlike most products out there, Grapl uses Python for its query language - one of the most popular, supported programming languages in the world. This allows users to tap into the massive Python library and tooling ecosystem and follow standard engineering best practices. Whether it’s unit testing in CI/CD, linting your code for common mistakes or anti patterns, or even applying static analysis tools to weed out bugs, Python’s ecosystem has you covered.
Here you can see mypy, a static type system for Python, finding an error with this query before it’s run, speeding up our iteration cycle and reducing bugs that make it to production.
By allowing you to follow best practices for code maintenance, Grapl drastically reduces maintenance burdens and increases confidence in your ability to detect an attack.