Name: How to: Compound Queries In Gravwell
Start: 2023-09-18T15:59:00Z
End: 2023-09-18T15:59:06.000Z
Location: BrightTALK

Gravwell is a data platform with security lake features that enables teams to investigate, collaborate, and analyze data on-demand, from any source — all with unlimited data collection and retention.

Despite being initially released in 2021, many aren't aware of Sysmon's Linux capabilities. 

In this session, we’ll start with the basics of Sysmon on Linux, then quickly dive into expert-level strategies for threat detection and hunting using the Gravwell log aggregation platform. Learn how to streamline your workflow, detect anomalies, and protect your systems with real world techniques.

What You'll Learn:

- Key features of Sysmon for Linux and how to set it up.
- Advanced threat hunting and detection techniques.
- How to leverage Gravwell for threat analytics and event correlation.
- Practical examples and live demonstrations.

Sysmon for Linux: Elevate Your Threat Hunting with Sysmon and Gravwell

At Gravwell, we love when customers put our platform through rigorous testing. 

We enjoy cramming data in and asking weird questions!

But not all vendors are the same and may attempt to avoid the tough, difficult or awkward questions that you need answering in order to really put them through their paces. 

This webinar essentially answers the question: "I need to find every strength, weakness, and pitfall in this SIEM or data lake…what should I ask?"

During the webinar, we will explore the most insightful and relevant questions from anonymized enterprise RFP questionnaires that we have received, incorporating elements from our QA testing approach and adding a touch of skeptical analysis from our experience as vulnerability researchers.

What you get is a fun talk and a playbook for beating up whatever SIEM, Data Lake or log analysis tool you are looking to test.

Top 10 Enterprise SIEM & Data Lake RFP Questions

In the evolving landscape of cybersecurity, traditional "out of the box" solutions and Indicator of Compromise (IOC) functionalities often fall short in addressing novel malware threats and post-exploitation activities. 

In this webinar we will we will share with you advanced techniques for uncovering and mitigating sophisticated cyber threats.

This talk will delve into real-world tips and methodologies for hunting and investigating novel malware activities. We will explore the intricacies of on-the-fly log parsing and nested field analysis, showcasing how these skills are essential in detecting subtle and obfuscated attacker behaviors. 

Participants will learn the process of reassembling egress streams to reconstruct attacker communications and exfiltration strategies, as well as decoding complex attacker payloads to understand the full scope of the threat.

By attending this session, attendees will gain valuable insights into proactive threat-hunting strategies that go beyond conventional security measures. 

We will demonstrate how to effectively identify and respond to novel attacks, emphasizing the importance of a dynamic and thorough approach to cybersecurity.

Webinar duration: 45 minutes

Threat Hunting For Novel Malware Activities

Welcome to an introduction to threat hunting and log analysis. In this webinar, we are going to use a capture-the-flag scenario to introduce you to the fundamental concepts of threat hunting. 

In this scenario, our host (Corey Thuen) has been sought out as an expert to help an organization investigate a potential breach.

The threat hunting team lead has a hypothesis that the attackers were able to obtain access through the SSH daemon in April. 

It is our task to test that hypothesis and provide a report of activity during that period. 

As part of this webinar will walk through the analysis of the logs using the Gravwell platform and determine:

- How many entries are there for this period?
- How many failed entries are there for this period?
- Provide a time series bar chart of users who have successfully logged in during this time and the query used to generate it.
- Provide a geographical map of all login attempts (successful or not) during this time and the query used to generate it. (our network enrichment kit will help)
- How many successful logins occurred during this period?
- Provide a stack graph chart of the count of successful authorizations by accounts and their login methods.

Using our findings we will complete the CTF scenario to:

- Confirm or reject the threat hunting hypothesis.
- If confirmed, we will provide evidence of compromise.
- If rejected, we will provide evidence or searches backing that conclusion.

An Introduction To Threat Hunting and Log Analysis

In this webinar, former FBI Digital Media Exploitation Analyst and Gravwell Solution Engineer Kyle Seike combines Corelight at Home and Gravwell to actively hunt in network logs for unknown threats.

The webinar starts with a walkthrough of the optimal setup for Corelight before moving into the Gravwell Query Studio to actively hunt within the Corelight data.

Our findings are visually represented using the Gravwell dashboards allowing us to create automated alerts should we identify malicious behaviour in the future.

Webinar duration: 25 minutes

Network Analysis With A Former FBI Analyst To Uncover Threats

In this video, we are going to walk through basic operations within Gravwell query studio that an analyst might rely on when exploring their data.

We will gradually step up in complexity throughout this video and ultimately illustrate a common workflow that many SOC analysts are familiar with: hunting for a phish.

The purpose of this content is to step through basic, common queries that a Security Operations Center analyst might use when trying to orient themselves to their data sources.

We will use a series of exploratory queries on tabular data that has been setup with an auto extractor in advance. It is intentionally basic but builds up some basic, important tooling that any analyst will love to have available.

Analyst Workflow: Hunting Down A Phishing Attack

In this video, we will use Gravwell to pivot on several indicators contained in an intelligence report to discover the underlying TTPs that threat actors used within our environment. Then we will take those TTPs and distill them into detection logic that can be rendered back into Gravwell as deployable detections which can be controlled and customized with no-code “Flows”. 

The purpose of this video is to showcase Gravwell’s search capabilities namely we are aiming to develop queries that will allow us to discover threat actor activity on a proactive basis.

In support of this goal we will not be focusing expressly on query logic but rather on the findings surfaced via said queries. We will then transition to the Automation “Flows’ functionality to show how a query can be translated to an automated notification.

Detection Engineering in Gravwell

Compound queries in Gravwell unlock incredible potential for analysts who need to ask critical questions about their data.

In this short video, we use a compound query containing a non-temporal lookup table to combine two discrete data sources in order to understand the different locations from which an attacker was staging their malware and gain further insights into the attacker’s TTPs across our systems.

How to: Compound Queries In Gravwell

Cyber Security

Information Security

Cyber Attacks

Cyber Defence

Cyber Incident Response

Network Security

Network Detection

Security Operations Center

Incident Response

Threat Hunting

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

The storage community on BrightTALK is made up of thousands of storage and IT professionals. Find relevant webinars and videos on storage architecture, cloud storage, storage virtualization and more presented by recognized thought leaders. Join the conversation by participating in live webinars and round table discussions.

Storage

Network infrastructure professionals understand that a reliable and secure infrastructure is crucial to enabling business execution. Join the network infrastructure community to interact with thousands of IT professionals. Browse hundreds of on-demand and live webinars and videos to learn about the latest trends in network computing, SDN, WAN optimization and more.

Network Infrastructure

Welcome to the big data and data management community on BrightTALK. Join thousands of data quality engineers, data scientists, database administrators and other professionals to find more information about the hottest topics affecting your data. Subscribe now to learn about efficiently storing, optimizing a complex infrastructure, developing governing policies, ensuring data quality and analyzing data to make better informed decisions. Join the conversation by watching live and on-demand webinars and take the opportunity to interact with top experts and thought leaders in the field.

Big Data and Data Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

How to: Compound Queries In Gravwell

Presented by

About this talk

Gravwell