Historically, detection has been performed on point anomalies – a log comes in, the log is analyzed, and a decision is made to alert based on that analysis. Similarly, investigations are based on searches over isolated events – an alert fires and you manually try to find related events based on ad-hoc queries.
Grapl aims to move beyond individual events as the fundamental abstraction and focus instead on relationships. Logs are parsed into graph representations and merged into a master graph representing all actions occurring across your environments. This approach allows for relationship-based detections and more efficient, ergonomic investigations.
Grapl handles the work of turning logs into subgraphs, orchestrating signatures executing across the graph, and automatically scoping investigations through expansion of the graph.