Traditionally, detection has been performed on point anomalies - a log comes in, the log is analyzed, and a decision is made to alert based on that analysis. Similarly, investigations are based on searches over isolated events - an alert fires and you manually try to find related events based on ad-hoc queries. Grapl aims to move beyond individual events as the fundamental abstraction and focus instead on relationships. Logs are parsed into graph representations and merged into a master graph representing all actions occurring across your environments. This approach allows for relationship-based detections (ex: word isn't scary, and bash isn't scary, but word spawning bash is scary) and more efficient, ergonomic investigations. Grapl handles the work of turning logs into subgraphs, orchestrating signatures executing across the graph, and automatically scoping investigations through expansion of the graph. I hope to demonstrate the benefits of a Graph based approach to DFIR, and how Grapl can aid in that approach.