Graph Based Queries

Screen Shot 2019-12-01 at 10.10.29 AM.pn

Because attackers think in graphs, Grapl provides a graph-based query interface for building out attack signatures. Grapl makes it simple to analyze and express complex behaviors with a simple, powerful language - Python. The combination of graph queries and Python means unlimited power for expressing attacker behaviors.

As an example, we can describe adropper. Droppers are small malicious programs whose job is to bootstrap the true malicious payload. They are an extremely common tool for attackers, but can be difficult to detect in standard systems due to how many distinct behaviors they encompass.


With Grapl it’s simple to express the fundamental behavior of a dropper, and start tracking any “dropper-like” programs using the following query:

In just a few lines of code we’ve described a complex, multi-stage attacker behavior.


With graph based querying, Grapl can catch even the most complex attacks with just a few lines of code.