Blog

Windows DNS threat hunting with Sysmon and Gravwell

Jun 20, 2019 8:38:00 AM / by Corey Thuen posted in Data Fusion, Microsoft, Windows, Logging, Security, Community Edition

0 Comments

This month has been a big deal for IT logging of windows endpoints. Sysmon v10 was released last Tuesday and it includes the major changes of DNS logging and OriginalFileName reporting for windows events. If you've ever tried to set up windows DNS logging before, you understand how awesome this is. This post is all about the new functionality and how to make use of it in Gravwell.

Read More

Benchmarking Gravwell's Hybrid Indexing

May 22, 2019 10:06:25 AM / by Kris Watts posted in ingester

0 Comments

We've had some benchmarking requests from multiple organizations struggling with ingest performance from Elasticsearch, so we're publishing them here. The latest Gravwell release marks a significant improvement in ingest and indexing performance and this post covers the nitty gritty details. Better ingest performance means reduced infrastructure cost, less dropped data, and faster time-to-value. See how Gravwell stacks up.

Read More

Monitoring Vehicle CANBus Activity with Gravwell

Apr 18, 2019 2:26:29 PM / by Corey Thuen posted in OT Analytics

0 Comments

Before founding Gravwell, I was doing quite a bit of vehicle cybersecurity. Lately I haven't had much opportunity for that kind of fun -- turns out founding a company is time consuming work. Today is a throwback Thursday, however, as I'll be presenting on CANBus and vehicle security at the local DEFCON meetup. We didn't build Gravwell for car hacking but I gotta say, having Gravwell years ago would have made my life a lot easier…

Read More

New Gravwell Feature: Introducing Autoextractors

Feb 27, 2019 10:51:08 AM / by Kris Watts posted in Software Updates

0 Comments

We are excited to introduce autoextractors with Gravwell version 3.0.2.  Autoextractors make it easy for regex gurus and binary ninjas to generate extractions and share them in a portable format.  Autoextractors can dramatically simplify the process of performing field extractions from unstructured data without complicated time-of-ingest data definitions; they can built and shared by ninjas and and used by us mere mortals.

Read More

Fighting social media propaganda

Feb 19, 2019 9:55:00 AM / by John Floren posted in Software Updates, ingester, reddit

0 Comments

We're continuing to work with investigative reporters to research unscrupulous activity on social media. Most recently, Engadget published a piece on nefarious political influencers on Reddit. We’ve written in the past about analyzing social media comments, but didn’t make the ingesters publicly available. With an increasing need for research in this area, we decided that releasing our Reddit and Hacker News ingesters could help new users get started with Gravwell even faster, so we open-sourced them. Read on to learn how to get the ingesters, how to run them, and how to get started with the data.

Read More

Announcing the new Gravwell HTTP Ingester

Feb 7, 2019 11:22:19 AM / by John Floren posted in Gravwell Story, ingester, Community Edition

0 Comments

Gravwell recently introduced a new ingester which accepts entries via HTTP POST requests. Now it's easy to send arbitrary data to Gravwell via scripts using only the curl command. In this blog post, we'll use the HTTP ingester to build a weather-monitoring dashboard!

Read More

Super Computing 2018 After Action - a case study in threat hunting

Jan 31, 2019 11:01:46 AM / by Corey Thuen posted in Case study

0 Comments

For the 2018 Super Computing Conference (SC18, held in Dallas, TX), Gravwell provided our analytics platform to the Network Security team. These brave souls were responsible for cyber security on a network consisting of $52 million in contributed hardware, software, and services plus 4.02 Terabits per second of external capacity. This means that not only does the SCinet Network Security team need to protect SCinet from the world, it needs to protect the world from SCinet.

Read More

Announcing Gravwell Version 3

Jan 24, 2019 10:44:56 AM / by Corey Thuen posted in Gravwell Story, Software Updates, Community Edition

0 Comments

Huge Gravwell updates today!

Thanks for your patience during this short period of radio silence, but it’s been for good reason. Today we’re happy to announce Gravwell version 3 which comes with a whole slew of delicious features and improvements.

The 2018 development year was primarily focused on improving search and ingest performance, scalability, and stability. We’ve made tremendous strides on this front and I’m excited to talk briefly about those here and in greater detail during the coming weeks. Our 2019 has a strong focus on improving out-of-the-box functionality -- keep reading for more info about the update and exciting plans for this year.

Read More

Fighting Unpredictable Analytics Costs With All-You-Can-Ingest Pricing

Oct 10, 2018 4:07:31 PM / by Corey Thuen posted in Gravwell Story, Case study, Analytics Economics

0 Comments

One of the biggest complaints that’s heard across the industry is that of cost. “Too expensive” or “untenable pricing scale” are things we have been hearing from colleagues at conferences and on forums for years. Years! Yet we’re still stuck with this extremely frustrating pricing model that disincentivizes people from using the very tool they purchased. What do I mean? Let’s dive in.

Read More

Gravwell And Bro

Aug 10, 2018 2:26:18 PM / by Kris Watts posted in Events, Security, Bro

0 Comments

In this detailed technical guide we’ll cover analyzing Bro security analytics with Gravwell. Bro is a passive network security sensor designed to provide a plugin friendly detection framework. There are a myriad of commercial Bro vendors and almost as many ways to format and store the output. Gravwell provides an efficient and simple interface for acquiring, storing, and querying Bro data.

Read More