Blog

Corey Thuen

Co-Founder of Gravwell
Find me on:

Recent Posts

What the HEC - Gravwell HTTP Ingester Supports Splunk Compatibility

Apr 15, 2021 8:52:09 AM / by Corey Thuen posted in ingester

The Gravwell HTTP ingester now supports a default config block that's compatible with Splunk HEC ingester defaults. To show this in action, we will use an awesome attacker simulation tool, Scythe and our old pal Sysmon and also tease upcoming purple team content.

Read More

Practical Application of MITRE ATT&CK

Mar 18, 2021 12:38:17 PM / by Corey Thuen posted in Data Fusion, ATT&CK

SC Magazine published an article headlined "SIEM rules ignore bulk of MITRE ATT&CK framework, placing risk burden on users." In the article, Bradley Barth writes about a study showing only 16 percent of the MITRE framework was covered by SIEM rules. 

I take issue with the core premise of this article. MITRE ATT&CK is a framework for high level planning and strategic thinking, not for a series of checkboxes on which to overlay a vendor product. We need to avoid turning cybersecurity into checkboxes. What do I mean? Read on to hear my thoughts on the SC Magazine article, and to see how we work with customers to improve observability without forcing them to fit a pre-defined mold. 

Read More

What's in a Sysmon Event Pt. 2 - Network Connections

Oct 9, 2020 9:00:50 AM / by Corey Thuen posted in Windows, Sysmon

We're building a Gravwell Kit for Sysmon! This blog series examines some of the event types that Sysmon generates to see what data they contain, opportunities for enhancing security, and example queries with Gravwell. Part 1 covered the Process Creation event type. In part 2 we jump into: Network Connection events!

Read More

What's in a Sysmon Event Pt. 1 - Process creation

Sep 3, 2020 1:09:02 PM / by Corey Thuen posted in Windows, Sysmon

I'm building a Gravwell Kit for Sysmon! This blog series follows the development of that kit for the awesome (free) sensor for Windows EDR, Sysmon. In this series we'll look at each event type that Sysmon generates to see what data it contains, opportunities for enhancing security, and example queries with Gravwell.

Read More

A personal short story about broken pricing models

Aug 21, 2019 1:41:21 PM / by Corey Thuen posted in Gravwell Story, Case study, Logging

This personal story I'm about to tell highlights one of the most important differentiators between Gravwell vs Splunk -- a non-abusive pricing model. Data rates aren't always predictable….

Read More

Windows DNS threat hunting with Sysmon and Gravwell

Jun 20, 2019 8:38:00 AM / by Corey Thuen posted in Data Fusion, Microsoft, Windows, Logging, Security, Community Edition, Sysmon

This month has been a big deal for IT logging of windows endpoints. Sysmon v10 was released last Tuesday and it includes the major changes of DNS logging and OriginalFileName reporting for Windows events. If you've ever tried to set up Windows DNS logging before, you understand how awesome this is. This post is all about the new functionality and how to make use of it in Gravwell.

Read More

Monitoring Vehicle CANBus Activity with Gravwell

Apr 18, 2019 2:26:29 PM / by Corey Thuen posted in OT Analytics

Before founding Gravwell, I was doing quite a bit of vehicle cybersecurity. Lately I haven't had much opportunity for that kind of fun -- turns out founding a company is time consuming work. Today is a throwback Thursday, however, as I'll be presenting on CANBus and vehicle security at the local DEFCON meetup. We didn't build Gravwell for car hacking but I gotta say, having Gravwell years ago would have made my life a lot easier…

Read More

Super Computing 2018 After Action - a case study in threat hunting

Jan 31, 2019 11:01:46 AM / by Corey Thuen posted in Case study

For the 2018 Super Computing Conference (SC18, held in Dallas, TX), Gravwell provided our analytics platform to the Network Security team. These brave souls were responsible for cyber security on a network consisting of $52 million in contributed hardware, software, and services plus 4.02 Terabits per second of external capacity. This means that not only does the SCinet Network Security team need to protect SCinet from the world, it needs to protect the world from SCinet.

Read More

Announcing Gravwell Version 3

Jan 24, 2019 10:44:56 AM / by Corey Thuen posted in Gravwell Story, Software Updates

Huge Gravwell updates today!

Thanks for your patience during this short period of radio silence, but it’s been for good reason. Today we’re happy to announce Gravwell version 3 which comes with a whole slew of delicious features and improvements.

The 2018 development year was primarily focused on improving search and ingest performance, scalability, and stability. We’ve made tremendous strides on this front and I’m excited to talk briefly about those here and in greater detail during the coming weeks. Our 2019 has a strong focus on improving out-of-the-box functionality -- keep reading for more info about the update and exciting plans for this year.

Read More

Fighting Unpredictable Analytics Costs With All-You-Can-Ingest Pricing

Oct 10, 2018 4:07:31 PM / by Corey Thuen posted in Gravwell Story, Case study, Analytics Economics

One of the biggest complaints that’s heard across the industry is that of cost. “Too expensive” or “untenable pricing scale” are things we have been hearing from colleagues at conferences and on forums for years. Years! Yet we’re still stuck with this extremely frustrating pricing model that disincentivizes people from using the very tool they purchased. What do I mean? Let’s dive in.

Read More