Asset Events

Configuration Options

The Asset Events condition type includes the following configuration options:

Risk Score Threshold	Specifies the value that triggers an event when an asset’s normalized risk score exceeds it.
Skip Events on First Run	When enabled, this option stops events from being created the first time the system runs, even if some assets are already above the risk threshold. This setting only applies during the initial run to avoid generating alerts for existing conditions.
Use Cron Scheduling	Enables custom scheduling using a cron expression.
Execute search every	Sets how frequently the condition runs to evaluate asset risk scores.
Enable (Checkbox)	Select this option to execute this event definition automatically.

During each event execution, Graylog evaluates all assets to identify those with a normalized risk score above the configured threshold. An event is created only if:

• The asset exceeds the threshold.

• The asset has not already triggered an event from this definition.

All non-empty fields from the asset are included in the generated event.

If an asset’s risk score exceeds the threshold, an event is triggered; no further events occur unless the score first drops below the threshold and then exceeds it again. For example, an asset's risk score rises to 85 (above 80 which is the configured threshold) an event is triggered. If it stays above 80, no new events are generated. If the score later drops to 75 and then rises to 82, a new event is triggered.

Example Use Case: Alerting on High-Risk Assets

In this scenario, you want to proactively alert your security team whenever an asset's normalized risk score exceeds 80, indicating potentially suspicious or risky behavior.

The objective of this event definition is to automatically detect assets with elevated risk scores and generate a single alert for each qualifying asset to prompt investigation and reduce the risk of alert fatigue.

Create Event Definition

1. Create a new Event Definition under Alerts > Events > Event Definitions.

2. The configuration wizard begins with the Event Details screen. Set the event title, priority, and description. You can also add an event procedure to provide curated guidance to team members on how to approach alerts on high-risk assets.

3. On the Event Condition configuration screen, select Asset Events as the Condition Type.

4. Configure the following fields:

   • Risk Score Threshold: 80

     This option sets the trigger point for creating an event when an asset’s normalized risk score exceeds 80.

   • Skip Events on First Run: Enabled

     This setting prevents alerts from being generated during the initial run for assets that are already over the threshold, avoiding immediate noise from existing high-risk assets.

   • Use Cron Scheduling: Disabled

     In this case, you rely on a simple interval-based execution.

   • Execute search every: 5 minutes

     Graylog evaluates asset risk scores every 5 minutes, ensuring timely detection of changes.

5. Proceed to the Fields and Notifications steps to add custom fields and configure how alerts are delivered when this event is triggered.

Monitor Event

Once active, the event definition continuously monitors asset risk scores and triggers an event whenever a score exceeds the configured threshold. Each event includes relevant asset fields such as hostname, IP address, user, and associated tags.

The generated event also fires an alert according to your notification settings and can be routed to your team through a configured channel (e.g. Slack or email). Upon receiving the alert, you can begin triaging the event using the included asset context.