Gravwell Integration with Threater

The combination of Threater & Gravwell provides joint customers with a comprehensive approach to cybersecurity that combines actionable threat intelligence with powerful data analytics capabilities.

Threater blocks known bad traffic at scale using a combination of simple, innovative technology and best-in-class threat intelligence. Gravwell’s Data Fusion Platform enables users to easily ingest, store, analyze, and display machine data, including security logs.

The combination of the two platforms provides improved protection from cyber threats and more effective and efficient threat detection, investigation, and response.

Alternate Threater logo
Transparent Gravwell logo


Comprehensive visibility into your security posture.

Improve threat detection.

Reduce the time to investigate and respond to security incidents.


Leverage Gravwell for longterm storage of Threater logs.

Aggregate logs from multiple  Threater appliances in Gravwell.

Use more customizable and advanced analytics, visualization, and reporting capabilities.

Correlate Threater logs with logs from other security controls and systems.

Threater Logs Provide Powerful Data & Syslog Export Capabilities

One of the many powerful features of the Threater platform are powerful logging capabilities with Threater appliances logging every connection (allowed or denied). Logs allow you to look at inbound and outbound connections and quickly see things like:

  • Source and destination IP.
  • What country is an IP from? What network is it from based on Autonomous System Number (ASN)?
  • Was it Allowed or Denied?
  • Why was it Allowed or Denied? Was a connection denied because it was a malicious IP on a threat intelligence feed? The result of a Country (GEO-IP) policy?
  • What threat intelligence feeds are an IP or domain on?

This log data can be analyzed to provide valuable information to help organizations analyze their security posture, identify and remediate threats in real time, and easily solve for false positives.

Threater appliances store a limited amount of log data in memory on the device. To enable organizations to support more comprehensive security monitoring and analytics efforts and satisfy compliance requirements, the platform provides powerful syslog export capabilities.

Syslog export in the Threater platform is also customizable enabling users to control which logs to export to one or more external SIEM tools. Each syslog export is independently configurable such that it can be filtered by Log Type, Resource Group, Verdict (Allowed or Denied), and Direction (Inbound vs. Outbound). This enables users to control what data they are sending to SIEMs, which in turn drives down SIEM costs as these costs are often driven by the volume of data the SIEM is ingesting. As you will see with Gravwell, this is a non-issue as unlimited data and predictable costs are two core components of their solution.

Gravwell Data Fusion Collects Data From Industry-Leading Sensors, Like Threater, for Correlation with Network Events, System Logs, & More

Threater is a crucial source of valuable data necessary to secure networks and systems. The challenge with having a great source of information begets some questions. Where do I put these events? How long can I store them for? Can I correlate with threat feeds, DevOps logs, or Network information? With Gravwell, collection and analysis of Threater events becomes easy.

Gravwell turns your data into a wealth of actionable knowledge. You’ve already invested in software and hardware that generate an overwhelming amount of data – Gravwell protects your budget by eliminating skyrocketing data ingestion costs. Enable your teams to collaborate and work together without limiting what data can be ingested into the platform. With Gravwell, there are no limits.

Gravwell’s Data Fusion Technology allows organizations to expand beyond traditional data collection types. Your teams work better together, and so does your data. Fuse performance, demographics, intelligence, business, and much more with your security and machine data to provide value to each and every part of your organization.

True Scalability

Whether you are ingesting and analyzing 5 Gigabytes a day or 5 Petabytes, Gravwell’s revolutionary technology stack allows you to scale seamlessly – adding additional nodes in just minutes without pausing, resetting, or restarting.

Data Without Limits

Don’t spend time and resources looking at subsets or poor translations of data. Gravwell gives you the ability to ingest and analyze data in its natural state. Machines aren’t limited to a single language and neither is Gravwell.

Unparalleled Visibility

Cut through the noise and visualize what is important to your organization. Bring data, metrics, queries, analytics, and events to life with fully customizable living dashboards.


Empower your administrators, operators, and analysts to eliminate mundane activities and supercharge their efficiency. Gravwell’s powerful automation features can be used to automate workflows, data enrichment, operations, tasks, queries, reports, and take action.

Gravwell’s Data Fusion Platform provides unprecedented capability for data collection and analysis across multiple business units within an organization. Created from scratch out of necessity by industry experts, the Gravwell platform addresses gaps in log and network analytics tools available on the market today. Gravwell powers rock-solid decisions through unlimited analytics, because data is better together.

Gravwell Infographic

Threater Kit for Gravwell

Threater and Gravwell collaborated to develop the Threater Kit for Gravwell. Gravwell Kits are prepackaged use case bundles made of searches, dashboards, resources, and more giving users fast and pertinent real-time visibility into your data.

The Threater Kit for Gravwell automates the process of integrating Threater log data into the Gravwell platform and provides pre-built dashboards that visualize log activity from one or more  Threater appliances.

Aggregated activity dashboards provide a holistic view of your security posture where you can easily see what traffic is being allowed or denied by Country, ASN, Reason (GEO-IP, Denied List, Threat List, Allowed List). You can also look at trends in denied traffic over time.

Aggregated Data Screenshot

Aggregated activity dashboards provide a holistic view of your security posture where you can easily see what traffic is being allowed or denied by Country, ASN, Reason (GEO-IP, Denied List, Threat List, Allowed List). You can also look at trends in denied traffic over time.

The single indicator dashboards lets you easily understand the behavior of a specific indicator, such as an internal IP address. What countries and ASNs is the endpoint being blocked from or allowed to connect from? What were the Reasons (GEO-IP, Denied List, Threat List, Allowed List) resulting in connections being allowed or denied? This dashboard also provides heat maps for egress and ingress GEO-IP and a very cool point-to-point connection graph on a world map.

Geographic Indicators Screenshot

The Threater Kit for Gravwell provides a launchpad for common customers to easily quickly integrate and visualize Threater log data in the Gravwell platform. Within Gravwell, users have the ability to customize, create, and share their own kits to incorporate specialize queries, dashboards, and playbooks.

Threater Learn hero Image

Learn more on the Gravwell website or schedule a demo.

Learn more about Threater.

For more information about Threater’s solutions contact us at 1.855.765.4925 ext 3 , or by email at

Want to Learn More?
Contact Us.

Threater welcomes your questions. Please fill out the Contact Form and a Threater team member will reply within one business day.