Esta página se muestra en inglés. Una traducción al español está en curso.
ScriptsJul 8, 2026·3 min de lectura

GRR Rapid Response — Google's Open Source Incident Response Framework

A remote live forensics framework by Google for large-scale incident response, enabling security teams to collect artifacts and investigate endpoints at enterprise scale.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
GRR Rapid Response
Comando de instalación directa
npx -y tokrepo@latest install bc49f713-7a64-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

GRR Rapid Response is an incident response framework developed by Google that enables remote live forensics on large fleets of machines. It provides security teams with the ability to collect forensic artifacts, analyze running processes, inspect file systems, and hunt for indicators of compromise across thousands of endpoints simultaneously.

What GRR Does

  • Deploys lightweight agents to Windows, macOS, and Linux endpoints for remote investigation
  • Collects forensic artifacts such as registry keys, browser history, log files, and memory dumps
  • Supports large-scale hunts that query thousands of machines in parallel
  • Provides a web-based management console for analysts to run flows and review results
  • Integrates with SIEM and SOAR platforms for automated incident workflows

Architecture Overview

GRR follows a client-server architecture. The GRR client (agent) runs on each endpoint and communicates over HTTPS with the GRR server. The server consists of a frontend that handles agent communication, a worker that processes collected data, and an admin UI for analysts. Data is stored in a MySQL database with collected artifacts kept in a blob store. The system is designed to scale horizontally to support fleets of hundreds of thousands of machines.

Self-Hosting & Configuration

  • Install the GRR server package on a dedicated Linux machine with MySQL
  • Run grr_config_updater initialize to set up database schema and generate keys
  • Build client installers for target operating systems using grr_client_build
  • Deploy agents to endpoints via software management tools like SCCM or Puppet
  • Configure data retention policies and access controls through the admin UI

Key Features

  • Enterprise-grade scalability tested on fleets of over 100,000 endpoints
  • Artifact-based collection framework with a library of predefined forensic artifacts
  • Timeline analysis for reconstructing event sequences during investigations
  • API-driven architecture enabling integration with automation and orchestration tools
  • Active development and maintenance backed by Google security engineering

Comparison with Similar Tools

  • Velociraptor — lighter and faster for smaller deployments; GRR scales to larger enterprise fleets
  • osquery — provides SQL-like querying of endpoints; GRR focuses on artifact collection and forensic workflows
  • TheHive — case management platform; GRR is the collection agent, and both can be used together
  • DFIR ORC — French government forensic collector; GRR offers broader platform support
  • CrowdStrike Falcon — commercial EDR with proprietary agents; GRR is fully open source

FAQ

Q: What operating systems does GRR support? A: GRR agents run on Windows, macOS, and Linux. The server runs on Linux with MySQL as the backend database.

Q: How does GRR handle endpoint connectivity issues? A: Agents buffer collected data locally and retry transmission when connectivity is restored. Flows remain queued on the server until the client checks in.

Q: Is GRR suitable for real-time threat detection? A: GRR is designed for forensic investigation and incident response rather than real-time detection. It complements EDR and SIEM tools by providing deep artifact collection.

Q: Does GRR require root or admin privileges on endpoints? A: The GRR agent typically runs with elevated privileges to access forensic artifacts like memory, registry, and protected files.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados