Grapl : Graph platform for Detection and Response

Grapl is a Graph Platform for Detection and Response. In short, Grapl will take raw logs, convert them into graphs, and merge those graphs into a Master Graph. It will then orchestrate the execution of your attack signatures and provide tools for performing your investigations.

Grapl supports nodes for:

  • Processes (Beta)
  • Files (Beta)
  • Networking (Alpha)

and currently parses Sysmon logs or a generic JSON log format to generate these graphs.

Also Read – Revshellgen : Reverse Shell Generator Written In Python

Key Features

Identity

If you’re familiar with log sources like Sysmon, one of the best features is that processes are given identities. Grapl applies the same concept but for any supported log type, taking psuedo identifiers such as process ids and discerning canonical identities.

This cuts down on storage costs and gives you central locations to view your data, as opposed to having it spread across thousands of logs. As an example, given a process’s canonical identifier you can view all of the information for it by selecting the node.

Analyzers (Beta)

Analyzers are your attacker signatures. They’re Python modules, deployed to Grapl’s S3 bucket, that are orchestrated to execute upon changes to grapl’s Master Graph.

Analyzers execute in realtime as the master graph is updated.

Grapl provides an analyzer library (alpha) so that you can write attacker signatures using pure Python. See this repo for examples.

Here is a brief example of how to detect a suspicious execution of svchost.exe

valid_parents = get_svchost_valid_parents()
p = (
ProcessQuery()
.with_process_name(eq=valid_parents)
.with_children(
ProcessQuery().with_process_name(eq=”svchost.exe”)
)
.query_first(client, contains_node_key=process.node_key)
)

Keeping your analyzers in code means you can:

  • Code review your alerts
  • Write tests, integrate into CI
  • Build abstractions, reuse logic, and generally follow best practices for maintaining software

Engagements (alpha)

Grapl provides a tool for investigations called an Engagement. Engagements are an isolated graph representing a subgraph that your analyzers have deemed suspicious.

Using AWS Sagemaker hosted Jupyter Notebooks, Grapl will (soon) provide a Python library for interacting with the Engagement Graph, allowing you to pivot quickly and maintain a record of your investigation in code.

Grapl provides a live updating view of the engagement graph as you interact with it in the notebook, currently in alpha.

Event Driven and Extendable

Grapl was built to be extended – no service can satisfy every organization’s needs. Every native Grapl service works by sending and receiving events, which means that in order to extend Grapl you only need to start subscribing to messages.

This makes Grapl trivial to extend or integrate into your existing services.

Setup

Setting up a basic playground version of Grapl is pretty simple.

To get started you’ll need to install npmtypescript, and the aws-cdk.

Your aws-cdk version should match the version in Grapl’s package.json file.

Clone the repo:

git clone https://github.com/insanitybit/grapl.git

Change directories to the grapl/grapl-cdk/ folder. There should already be build binaries.

Execute npm i to install the aws-cdk dependencies.

Add a .env file, and fill it in:

BUCKET_PREFIX=”<unique prefix to differentiate your buckets>”

Run the deploy script ./deploy_all.sh

It will require confirming some changes to security groups, and will take a few minutes to complete.

This will give you a Grapl setup that’s adequate for testing out the service.

You can send some test data up to the service by going to the root of the grapl repo and calling: python ./gen-raw-logs.py <your bucket prefix>.

This requires the boto3 and zstd Python modules.

Note that this may impose charges to your AWS account.

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

5 days ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

5 days ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

5 days ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

5 days ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

5 days ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

5 days ago