Asset Auto Investigation

Auto investigation enables Graylog to automatically create and manage investigations for assets based on asset risk score thresholds. When enabled, investigations are created without manual user interaction and are continuously updated with relevant event information. This capability is part of the Asset Events workflow and eliminates the need to manually create investigations or associate events for high-risk assets.

In this article, you'll learn how Asset Auto Investigation works and how to enable the Automatically Create Investigation functionality.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

You must be a Graylog administrator or a user with the following permissions:

  • investigations:create: Create investigations.

  • investigations:edit: Modify investigations.

  • All Events stream (read permissions).

Asset Auto Investigation Explained

When Auto Investigation is enabled and an asset’s risk score exceeds a configured threshold, Graylog automatically creates an investigation with the following properties:

  • Investigation Name: Generated using the format: Asset: <asset_name> has a risk score of <risk_score> above threshold <threshold_value>.

  • Initial Note: Adds a note explaining why the investigation was created, including:

    • Asset name

    • Risk score

    • Threshold value

    • Event definition name

  • Status: Assigns the configured default investigation status.

  • Existing Events: Adds all open security events related to the asset as evidence.

When an investigation is automatically created for an asset, it remains active as long as the asset’s risk score stays above the defined threshold. During this time, any additional events associated with the same asset are continuously added to the existing investigation. This ensures that all relevant activity is consolidated into a single investigation for ongoing analysis.

When the asset’s risk score falls below the configured threshold, no new events are added to the investigation. At that point, the system adds a note indicating that the asset has dropped below the threshold and that no further events will be included. The investigation itself remains open, and its status is not automatically changed.

If an investigation is manually closed, archived, or deleted, the system stops adding new events to that investigation. If the asset later exceeds the risk threshold again—whether after dropping below the threshold or after the investigation was manually closed—a new investigation is created. This ensures that each investigation reflects a distinct period of elevated risk.

If multiple event definitions are triggered for the same asset, all related events are still grouped into a single investigation. The system maintains only one active investigation per asset at a time to provide a unified view of activity.

Enable Auto Investigation

To enable Asset Auto Investigation:

  1. Navigate to Alerts > Event Definitions.

  2. Create or edit an Asset Events definition.

  3. Enter the Risk Score Threshold value (0–100).

  4. Select the applicable Asset Categories.

  5. Set the Asset Priorities.

  6. Elect either to Skip Events on First Run or not. This setting prevents alerts from being generated during the initial run for assets that are already over the threshold, avoiding immediate noise from existing high-risk assets.

  7. Click the Automatically Create Investigation checkbox.

  8. Select if to Use Cron Scheduling. This provides the option to automatically schedule how this event runs.

  9. Configure the Execute search every time value. If selected, Graylog evaluates asset risk scores based on the selected time value entered.

  10. Complete the Event Definition creation wizard.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: