Blog

Super Computing 2018 After Action - a case study in threat hunting

Jan 31, 2019 11:01:46 AM / by Corey Thuen posted in Case study

0 Comments

For the 2018 Super Computing Conference (SC18, held in Dallas, TX), Gravwell provided our analytics platform to the Network Security team. These brave souls were responsible for cyber security on a network consisting of $52 million in contributed hardware, software, and services plus 4.02 Terabits per second of external capacity. This means that not only does the SCinet Network Security team need to protect SCinet from the world, it needs to protect the world from SCinet.

Read More

Fighting Unpredictable Analytics Costs With All-You-Can-Ingest Pricing

Oct 10, 2018 4:07:31 PM / by Corey Thuen posted in Gravwell Story, Case study, Analytics Economics

0 Comments

One of the biggest complaints that’s heard across the industry is that of cost. “Too expensive” or “untenable pricing scale” are things we have been hearing from colleagues at conferences and on forums for years. Years! Yet we’re still stuck with this extremely frustrating pricing model that disincentivizes people from using the very tool they purchased. What do I mean? Let’s dive in.

Read More

Security Auditing DNS With CoreDNS and Gravwell

Jul 26, 2018 11:16:19 AM / by Kris Watts posted in Network Analytics, Case study, Logging, Security, automation, Integrations, Home Operations Center, Orchestration

0 Comments

DNS auditing is an integral part of any I.T. security program. Name resolutions can act as a great tip for discovering malware, command and control streams, or misbehaving employees. Acquiring DNS audit data can be difficult with some DNS servers (*cough* Windows *cough*); for this post we are going to show an extremely easy method of getting DNS audit data directly into Gravwell.

Read More

Gravwell and Windows Event Logging

Dec 18, 2017 9:00:00 AM / by Kris Watts posted in Case study, EventLog, Windows, Security

0 Comments

TL;DR

We are going to dive into Windows and show how to get logs flowing into Gravwell in under 5 minutes with the WinEvent ingester. Using the Windows queries we will audit login behavior, RDP usage, some Windows Defender, and identify when Bob from accounting is copying sensitive financial data to external storage devices. Also, Taylor Swift is involved; don't panic, just stay with me.

Overview

This Gravwell post is all about the wild world of Windows Event logging and analytics. Both Unix and Windows provide standardized central logging facilities; however, the structure and format of the stored logs are dramatically different. Syslog and most other logging systems with roots in Unix approach logging as an unstructured stream: a log entry is a string of text, no more, no less (we are going to ignore journald and its binary madness). Windows, however, logs all events in fully-formed XML and the logging system is integrated into the operating system itself.  We should also note that logging in Windows is... less than ideal.  If you are coming from the Unix world, throw out all your assumptions; things are different here.

Read More

OT Security Analytics - Finding the ground truth

Nov 16, 2017 11:22:40 AM / by Corey Thuen posted in Network Analytics, Case study, OT Analytics

1 Comment

In this post, we take a look at analyzing Industrial Control System data to detect unauthorized manipulation of relays in a process.

Read More

Discovering truth through lies on the internet - FCC comments analyzed

Oct 2, 2017 11:30:00 AM / by Corey Thuen posted in Case study, DevOps Analytics

5 Comments

For this post, the Gravwell analytics team ingested all 22 million+ comments submitted to the FCC over the net neutrality issue. Using Gravwell we were able to rapidly conduct a variety of analysis against the data to pull out some pretty interesting findings. We scraped the entirety of the FCC comments over the course of a night and ingested them into Gravwell afterward. It took about an hour of poking around to get a handle on what the data was and the following research was conducted over about a 12 hour period. So we went from zero knowledge to interesting insights in half a day. We’re kinda nerding out about it.

Read More

Using Data Fusion to hunt infrastructure capacity issues

Sep 28, 2017 9:47:20 AM / by Corey Thuen posted in Data Fusion, Case study

0 Comments

 In this post we'll walk through a case study with a customer trying to identify an infrastructure capacity issue in which the system becomes unresponsive during a swell in page visits. We'll follow Alice and Bob (names changed, obviously) as they work through the issue.

Read More

Hunting torrent machines with network analytics

Sep 12, 2017 12:11:37 PM / by Corey Thuen posted in Network Analytics, Case study

0 Comments

Read More