Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
We are happy to announce the immediate availability of Gravwell version 3.2.0!
This minor release of Gravwell contains a few new renderers and a bunch of performance improvements. Over the next few days we will be showcasing each of the new features. Check out our changelog for the full technical details.
One of the most exciting new features in Gravwell 3.2.0 is the point-to-point renderer. The point-to-point renderer (called point2point) allows you to display vectors, directional lines with a source and a destination. The point2point renderer can be applied to almost any data source that has a source and destination location. Many of our customers have requested the point2point renderer for displaying network data but a few in the ICS space asked for it to display physical systems of lines, pipes, and even roads.
To demonstrate the point to point renderer we will apply it to some PCAP data to see the origin and destination of packets on the network. The geoip module is used to provide location information to the packets using the MaxMind geoip database. Here is a very basic query which draws flows of network packets:
tag=pcap packet ipv4.SrcIP ipv4.DstIP | geoip SrcIP.Location as sloc DstIP.Location as dloc | point2point -srcloc sloc -dstloc dloc
By default point2point draws a static set of lines overlaid on a 2D map, but we can turn on animations to make the source/destination relationship more obvious:
2D maps are great to display information quickly, but if you want to impress your boss the interactive 3D globe looks great in SOCs. Click the "Globe" button to toggle to the 3D globe:
By default the thickness of the vectors corresponds to the number of entries seen for that source/destination pair, but with the `-mag` flag you can easily specify a different magnitude:
tag=pcap packet ipv4.SrcIP ipv4.DstIP ipv4.Length | geoip SrcIP.Location as sloc DstIP.Location as dloc | sum Length by sloc,dloc | point2point -srcloc sloc -dstloc dloc -mag sum
And if you find the default colors a bit boring, you can change the theme on your user preferences page:
A more exhaustive description of point2point's options can be found on its documentation page.
To give Gravwell a try, request a Free Trial using the button below:
If you would like to see how Gravwell can provide unparalleled access to all your data with a predictable total cost of ownership, schedule a demo:
Written by John Floren
John's been writing Go since before it was cool and developing distributed systems for almost as long.