Blog

Add Threat Hunting to your SIEM with Gravwell

May 6, 2021 2:50:51 PM / by Corey Thuen posted in Security, SIEM, Threat Hunting

Enhance Security by Removing Limits

SIEMs have historically done well in helping organizations detect threats. Modern threat activity has shown, however, that tracking pre-selected data and relying on IOCs (indicators of compromise) isn't enough to protect business from attackers. Threat hunting and going off the rails of "pre-fabbed search" are absolutely critical to defending organizations. You don't have to read very much Sun Tzu to learn the importance of "Know Thyself" and defenders advantage. SIEMs have let us down in this area. Gravwell provides a solution that removes limits and puts you in control of what data you can collect, and what questions you can ask.

Read More

IPMI and Gravwell Part 2: Making an IPMI Kit

Apr 22, 2021 11:49:36 AM / by Fritz posted in ingester, query, kits

Welcome back to Gravwell HQ! Today we bring you the second post in our two-part blog series on building IPMI ingest and analysis tools. In part one we walked through building an ingester from scratch, and gave an overview of IPMI. In this post, we’ll be taking a tour of how we made our officially supported Gravwell IPMI kit. We’ll go through everything from macros, queries, templates and dashboards, to kit packaging. There’s a lot of great info to cover, so let’s get started!

Read More

What the HEC - Gravwell HTTP Ingester Supports Splunk Compatibility

Apr 15, 2021 8:52:09 AM / by Corey Thuen posted in ingester

The Gravwell HTTP ingester now supports a default config block that's compatible with Splunk HEC ingester defaults. To show this in action, we will use an awesome attacker simulation tool, Scythe and our old pal Sysmon and also tease upcoming purple team content.

Read More

IPMI and Gravwell Part 1: Building an IPMI Ingester

Apr 8, 2021 11:45:13 AM / by Fritz posted in ingester, HOWTO, IPMI

(This post is part one of a two-part technology series around building and using an IPMI ingester and kit. Part two coming soon.)

In many data aggregation and analysis tools, the ecosystem is fully closed source, and often even data ingest protocols are proprietary. This means that if you want to ingest a novel data format of your own, you’re either, a) $%*! out of luck, or b) forced to collapse your data into some form of low performance, textual, line-delimited data that a generic log ingester will work with.

At Gravwell HQ, we take a different approach. All of our ingesters are open source and freely available under a BSD license, and our ingest framework is open and available as a Go library. In this post, we’ll be taking a tour of how we wrote a real and officially supported Gravwell ingester: the new Gravwell IPMI Ingester. We’ll cover how we manage configuration files, set up and manage indexer connections, and transform IPMI data into a flexible JSON schema before sending it out.

Read More

Grouping Related Entries with the Transaction Module

Apr 1, 2021 8:36:00 AM / by Fritz posted in Software Updates

In today's blog, we’ll give a short overview of the transaction module introduced in our most recent update: Gravwell 4.1.5. The transaction module is a powerful module that can rewrite individual entries into grouped entries based on any number of keys--essentially, the transaction module allows you to collate entries based on a given criteria.

Read More

Monitoring HomeLab and Network with Gravwell Community Edition

Mar 25, 2021 9:47:38 AM / by Gravwell posted in Community Edition, Home Operations Center

Gravwell launched our free Community Edition in July 2018, and it has become an invaluable resource for home lab users and anyone looking to monitor their personal network or wrangle large amounts of data (up to 2GB/day) into actionable insights. In this blog post, Dustin Finn, one of our first CE users and recipient of the inaugural “CE User of the Year” Award, shares some of the cool projects he’s working on using Gravwell Community Edition.

Read More

Practical Application of MITRE ATT&CK

Mar 18, 2021 12:38:17 PM / by Corey Thuen posted in Data Fusion, ATT&CK

SC Magazine published an article headlined "SIEM rules ignore bulk of MITRE ATT&CK framework, placing risk burden on users." In the article, Bradley Barth writes about a study showing only 16 percent of the MITRE framework was covered by SIEM rules. 

I take issue with the core premise of this article. MITRE ATT&CK is a framework for high level planning and strategic thinking, not for a series of checkboxes on which to overlay a vendor product. We need to avoid turning cybersecurity into checkboxes. What do I mean? Read on to hear my thoughts on the SC Magazine article, and to see how we work with customers to improve observability without forcing them to fit a pre-defined mold. 

Read More

Announcing the Gravwell Sysmon Kit

Mar 10, 2021 8:22:53 AM / by Kris Watts posted in EventLog, Windows, Security, kits, Sysmon, DNS

We are pleased to announce the immediate availability of the Gravwell Sysmon kit.  This kit is designed to get you started quickly with Sysmon data and demonstrate the art of the possible.  This post will cover the basic contents of the kit and then we will perform a quick investigation of a process that probably shouldn't be running on a corporate machine.

Read More

Slice it Like Roast Beef: Parsing Raw ARP Messages in Gravwell

Feb 23, 2021 9:06:44 AM / by John Floren posted in Data Fusion, compound queries

One of Gravwell's great strengths is binary ingest: you can store things like raw packets, then parse them later when you know what you want to extract. This came in handy recently when I set up IPv6 on my home network and wanted to keep an eye on who's issuing Router Advertisement (RA) messages. A RA message by itself isn't very helpful, since you just get a MAC address and an IPv6 link-local address, but with a little bit of Gravwell query magic, I was able to parse out ARP packets to link the IPv6 address to an IPv4 address, which helps identify the machine.

Read More

Easy Custom Implementations with Gravwell Client Library

Feb 8, 2021 11:32:37 AM / by John Floren posted in developer, API, golang

Version 3.7.0 of the Gravwell open source repository introduces an exciting new feature: a Go library for interacting directly with Gravwell! Our Data Fusion platform has always been about meeting custom analytics needs and not forcing clients onto limited rails for dashboarding, searching, etc. Out-of-the-box only gets you so far, and beyond is where our customers get into doing some really, really cool stuff.

Open sourcing the Gravwell client library makes it much faster for users to get any custom code up and running - which means less time to ingestion, automation, alerting, and other juicy data goodness. This post will show how to instantiate & authenticate a client, then give a few examples of what you can do.

Read More