Unicorn Library

SCYTHE Library: Gravwell Integration with SCYTHE

Written by SCYTHE | Jul 21, 2021 4:00:00 AM

Gravwell Integration with SCYTHE

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior. We go a step further as a Purple Team platform to help measure and train your people and process once those controls are in place. SCYTHE integrates with solutions such as Splunk, PlexTrac, VECTR, and any SIEM via syslog. SCYTHE 3.2 also has the API fully documented to integrate with SOAR platforms such as Splunk Phantom and Palo Alto Networks xSOAR.
This post covers how to integrate your SCYTHE instances with Gravwell Data Fusion Platform. The integration is very simple as the team at Gravwell has updated their HTTP ingestor to support Splunk-like capabilities. Given SCYTHE already had Splunk integration, the ability to send attack logs to Gravwell is trivial to set up.

Set up Gravwell with a Token Value

In your Gravwell set up, you simply need to modify the config block in the HTTP ingester:

[HEC-Compatible-Listener "scythe"]
        #URL="/services/collector/event" #default URL if omitted
        TokenValue="tokengoeshere" #set the access control token
        Tag-Name=scythe

If you do not have your HTTP injector configured to use encryption keys, that will be required. Sending attack logs in clear text is not good operational security and SCYTHE will only allow you to send it via HTTPS. The full configuration file is available at the bottom of this post.

SCYTHE Settings

Once you have the Gravwell injector data set, all you need to do is copy it over to the Splunk settings section under Administration - Settings as shown in the below screenshot. You need the Host, Key, and Port: 

High quality screenshot is here: https://www.gravwell.io/hubfs/blogimages/2021-04-09-hec/scythe-hec-config.png 

Running a Campaign

Run your favorite SCYTHE campaign and watch the attack data being sent to Gravwell:

High quality screenshot is here:  https://www.gravwell.io/hubfs/blogimages/2021-04-09-hec/raw-scytheevent.png 

This allows for visualization based on MITRE ATT&CK techniques as most SCYTHE TTPs are tagged to MITRE ATT&CK:

High quality screenshot is here: https://www.gravwell.io/hubfs/blogimages/2021-04-09-hec/scythe-tag-chart.png

Want to play with SCYTHE and Gravwell? We will be adding it to our Purple Team Workshop in the coming months. Our next workshop is available here.

Conclusion

We would like to thank our friends at Gravwell and especially their co-founder, Corey Thuen, for building the compatibility between Gravwell HTTP injectors and Splunk. SCYTHE can now easily send attack logs to Gravwell so blue teams and operators can have full visibility into the attack. By having a single pane of glass, blue teams will be able to focus on detection engineering to build security controls as well as testing, measuring, and improving their people and process.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.