Graph platform for Detection, Forensics, and Incident Response
Grapl aims to describe a network, and actions taking place on that network, as a graph.
The graph representation makes it easy to express complex attacker signatures that span multiple discrete events. Automated contexting can be applied to arbitrary signature matches by expanding the graph surrounding the match, pulling in related information.
Grapl currently supports graph representations for:
Process Start/ Stop
Internal and External network traffic
What you can do with Grapl today:
Send it data, given you provide a specific format
Query the db for graphs of Process trees and their associated files and network activity