Overview
Explore graph-based detection and response techniques using Grapl in this 46-minute conference talk from BSidesSF 2020. Learn how to leverage graphs and Python to build powerful, behavior-oriented attack signatures and investigate suspicious activities in your environment. Discover the fundamentals of graph analytics, including examples from financial security and tools like Bloodhound and CloudMapper. Dive into log-based detection, identity management, and Python analyzers. Gain insights on conducting log-based investigations, finding parent processes, and utilizing Jupiter notebooks. Explore advanced topics such as lenses, graph engagements, pivoting behaviors, and visualization techniques. Understand process tree analysis, recursive queries, and how to set up Grapl for enhanced security detection and response capabilities.
Syllabus
Introduction
What is a graph
Examples of graphs
Financial security
Graphs
Bloodhound
CloudMapper
Logs
Nodes
Identity
Logbased Detection
Word and PowerShell
Fundamentals
Python
Python Analyzer
Logbased investigations
Finding the parent process
Jupiter notebooks
Lenses
Graph
Engagements
Pivoting
Pivoting behavior
Visualization and investigation
Grapl plugin
Process tree analysis
Recursive queries
Setting up Grapl
Taught by
Security BSides San Francisco