Graylog 6.2 delivers expanded integration capabilities, enhanced threat detection, and streamlined investigation workflows across the platform. This release introduces smarter input setup and diagnostics, refined data access with Data Preview and selective retrieval, and enriched alerts with visualizations, filters, and bulk actions. New detection features like Sigma Correlation support and risk amplification through Detection Chains strengthen threat coverage, while updates to asset insights and token management improve operational efficiency for security teams.
Inputs
-
Sophos Central Input: New input. Collects events and alerts from the Sophos Central SIEM Integration API, paired with new Illuminate content.
-
Mimecast Input: New input. Collects email security logs using Mimecast APIs.
-
OpenTelemetry Input: New input. Collects OpenTelemetry-instrumented applications and services using the OpenTelemetry Protocol (OTLP) over gRPC.
-
Microsoft Graph Input: New input. Supports collecting email logs, Microsoft Entra ID logs, directory, provisioning, and sign-in audit logs using Microsoft Graph APIs.
-
AWS Kinesis/CloudWatch Input: Updated input. Now supports ingesting GELF-formatted logs from Amazon S3 buckets, expanding flexibility for cloud-based log collection and integration.
-
Salesforce Input: Updated input. Now supports custom Salesforce application URLs by replacing the Instance Name field with a new Base Salesforce URL field, ensuring compatibility with sandbox, developer, and custom domains.
-
Input Setup Mode: Guides you through the stream, pipeline, and index set creation process to properly process and store data from a new input.
-
Input Diagnostics: Presents a holistic view of the input including state, received traffic statistics, received message count by stream, message errors, and tips for troubleshooting.
-
Illuminate Content Hub: Provides a list of available Illuminate packs with search and filters.
Data Management
-
Data Preview: Allows you to search data residing in the Graylog Data Lake without impact to your Graylog license. Data Preview uses a simplified log results display, allowing for bulk actions to perform data retrieval. The simplified log viewer includes log message view and the ability to add/re-sort columns and copy messages to the clipboard.
-
Selective Data Retrieval: Filter fields have been added to retrieve data from the Graylog Data Lake to align more specifically to an investigation.
Events and Alerts
-
Alert Charts, Filters, Bulk Actions, and Screen Refresh: Added charts for volume and MITRE ATT&CK Tactic (in the Security perspective) to the Alerts and Security Events tabs, along with filterable options and configurable auto-refresh similar to Search and Dashboard tabs. You can now perform bulk actions for mass updates, including replay search, assigning owners, changing status, and more.
-
Threat Coverage Widget: Updated to calculate content coverage based on the specific data feeding into your SIEM.
-
Sigma Correlation: Graylog supports Sigma rules and Correlation using the Sigma 2.0 standard.
-
Detection Chain Risk Amplifier: Identify repeated attack techniques—known as Detection Chains—used by adversary groups. Graylog automatically raises the risk score as additional events or alerts related to the same chain are detected.
Assets
-
Asset Drilldown Dashboards: Provides a detailed overview of Asset activities.
-
Asset Drawer Security Event Bulk Actions: Bulk actions can be performed in the Asset Drawer on the Security Events tab.
General
-
Security Overview Page: The Security Overview Page has been updated with tables reflecting the deployment’s events and alerts, investigations, assets, and threat coverage.
-
Token Management: Token management in the Graylog interface allows for centralized management of tokens created by the system.
