Practical Application of MITRE ATT&CK

Mar 18, 2021 12:38:17 PM / by Corey Thuen posted in Data Fusion, ATT&CK

SC Magazine published an article headlined "SIEM rules ignore bulk of MITRE ATT&CK framework, placing risk burden on users." In the article, Bradley Barth writes about a study showing only 16 percent of the MITRE framework was covered by SIEM rules. 

I take issue with the core premise of this article. MITRE ATT&CK is a framework for high level planning and strategic thinking, not for a series of checkboxes on which to overlay a vendor product. We need to avoid turning cybersecurity into checkboxes. What do I mean? Read on to hear my thoughts on the SC Magazine article, and to see how we work with customers to improve observability without forcing them to fit a pre-defined mold. 

Read More

Slice it Like Roast Beef: Parsing Raw ARP Messages in Gravwell

Feb 23, 2021 9:06:44 AM / by John Floren posted in Data Fusion, compound queries

One of Gravwell's great strengths is binary ingest: you can store things like raw packets, then parse them later when you know what you want to extract. This came in handy recently when I set up IPv6 on my home network and wanted to keep an eye on who's issuing Router Advertisement (RA) messages. A RA message by itself isn't very helpful, since you just get a MAC address and an IPv6 link-local address, but with a little bit of Gravwell query magic, I was able to parse out ARP packets to link the IPv6 address to an IPv4 address, which helps identify the machine.

Read More

Enable Data Fusion & Pivot on Dataset Properties with the Enrich Module

Jan 19, 2021 9:51:59 AM / by Fritz posted in Data Fusion, Software Updates, Logging

Gravwell 4.1 introduces a new module - Enrich - that can add static data to every entry in a query. Sometimes you need to add static data to a dataset, such as the standard deviation itself across all entries in the dataset or annotations about the query, or you may want to fuse several data points from a resource. The enrich module provides this simple but important feature.

Read More

Combine Datasets Like a Boss: Announcing Gravwell 4.1 & Compound Queries

Jan 6, 2021 9:14:59 AM / by Fritz posted in Data Fusion, Software Updates, Logging

The Gravwell team is happy to announce the release of Gravwell 4.1.0 - Gamma Burst.
A few highlights of what's included in the new release:

  • Compound Query support
  • Web UI based ingester
  • A new “enrich” module
  • Temporal mode in the “dump” module
  • Internal performance and stability improvements

(Current users - visit the download page for instructions on updating. For a complete list of changes, see the Gravwell 4.1.0 release notes)

We’ll have a series of blog posts discussing the various features of Gravwell 4.1.0, but we wanted to get started with our favorites - Compound Queries.

Read More

Windows DNS threat hunting with Sysmon and Gravwell

Jun 20, 2019 8:38:00 AM / by Corey Thuen posted in Data Fusion, Microsoft, Windows, Logging, Security, Community Edition, Sysmon

This month has been a big deal for IT logging of windows endpoints. Sysmon v10 was released last Tuesday and it includes the major changes of DNS logging and OriginalFileName reporting for Windows events. If you've ever tried to set up Windows DNS logging before, you understand how awesome this is. This post is all about the new functionality and how to make use of it in Gravwell.

Read More

Using Data Fusion to hunt infrastructure capacity issues

Sep 28, 2017 9:47:20 AM / by Corey Thuen posted in Data Fusion, Case study

 In this post we'll walk through a case study with a customer trying to identify an infrastructure capacity issue in which the system becomes unresponsive during a swell in page visits. We'll follow Alice and Bob (names changed, obviously) as they work through the issue.

Read More