What's New in Graylog 7.1?

Graylog 7.1 delivers major enhancements in alert triage and investigation, behavior analysis, platform administration, and infrastructure performance. This release introduces automatic investigation creation, case-based triage workflows, expanded anomaly detection baselines, and a suite of analyst experience improvements. It also extends platform infrastructure with dynamic shard sizing, parallel archive restore, and a revamped Inputs page.

Alert Triage and Investigation

  • Automatic Investigation Creation: Introduces case-based triage by automatically creating investigations based on Asset Risk thresholds, with options to configure thresholds by user and machine groups to reflect differences in risk appetite across your environment.

  • Event Summary Templates: Surfaces key event details (such as the user and system involved) directly in the description field on the Alerts page, removing the need to open individual event rows.

  • Favorite Fields: Allows users to promote frequently referenced fields to the top of the event view in a user-defined order.

  • Bulk Add to Investigation: Enables relevant logs to be added to an investigation in bulk.

  • CrowdStrike Vulnerability Scanner Integration: Adds support for importing CrowdStrike scan results into Graylog's Asset system, enabling risk-aware triage from a single view.

Behavior Analysis and Anomaly Detection

  • Anomaly Detector Enhancements: Adds vendor-agnostic support, expanded tuning options, and search replay for faster resolution time.

  • Impossible Travel Detection: Adds a new baseline for identifying authentication or activity patterns that are geographically implausible within a given timeframe.

  • Log Fluctuation Detection: Adds a new baseline for identifying abnormal changes in log volume that may indicate data loss, misconfiguration, or an active threat.

  • Sigma Rules from Private Repositories: Adds support for ingesting Sigma rules directly from private GitHub, GitLab, and Bitbucket repositories, with version control support.

Platform Administration

  • Inputs Page Revamp: Redesigns the Inputs page to make managing large numbers of Inputs and Forwarder Inputs more practical at scale.

  • MongoDB Node Visibility: MongoDB nodes are now visible on the Cluster Configuration page, providing administrators with a more complete view of cluster composition.

  • License Usage Alerts: Adds configurable alerts to notify administrators when ingest usage approaches license limits.

  • Quick Jump: Adds a navigation menu accessible from every page in the Graylog application that allows users to search for and navigate directly to application pages and user-created assets, such as event definitions, pipeline rules, streams, dashboards, and saved searches.

Infrastructure and Search Performance

  • Dynamic Shard Sizing: Automatically sets shard counts to their optimal value, improving search performance in large deployments.

  • Dynamic Shard Count for Restored Index Sets: Scales shard counts during Data Lake restores, resulting in faster data retrieval.

  • Azure Blob Storage: Archives, warm tier, and Data Lake can now run natively on Azure Blob.