Grapl is a Graph Platform for Detection and Response with a focus on helping Detection Engineers and Incident Responders stop fighting their data and start connecting it. Find out more on our Github.
For now, our documentation primarily focuses on grapl_analyzerlib. grapl_analyzerlib provides a Python interface for end-users to interact with the data in Grapl.
Note
Grapl's documentation is still a work in progress.
.. toctree:: :caption: Documentation :maxdepth: 1 queryable analyzers/index setup/index plugins/index
.. toctree:: :caption: Nodes :maxdepth: 1 :glob: nodes/*
.. toctree:: :caption: Development :maxdepth: 1 :glob: development/*
Queries and Views are the main constructs to work with the graph.
Queries allow you to pull data from the graph that matches a structure.
Views represent an existing graph, which you can expand by pivoting off of its edges.
Let's query for some processes with the name "svchost".
from grapl_analyzerlib.prelude import *
# Create a client to talk to Grapl
gclient = GraphClient()
svchosts = (
ProcessQuery()
.with_process_name(eq="svchost.exe")
.query(gclient) # Execute the query
) # type: List[ProcessView]
Now we can pivot around that data. Let's look at the parent processes of these svchosts:
for svchost in svchosts:
if svchost.get_parent():
print(svchost.parent.get_process_name())
Install grapl_analyzerlib by running:
pip install --user grapl_analyzerlib
The project is licensed under the Apache 2.0 license.