The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Event Procedures

Graylog's Event Procedures provide a repeatable, guided structure for defining how your organization responds to security events. This feature enhances the process of remediation by introducing actionable steps that can be attached to event definitions, Sigma rules, and anomaly detectors.

In this article, we'll cover what event procedures are, how to create them, and how to add and manage procedural steps.

In Graylog 6.3, Event Procedures has been released as an early access feature for evaluation and feedback purposes, so its design and behavior may change significantly in future releases. To share feedback on your experience with Event Procedures, email feedback@graylog.com.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • A valid Graylog Security license.

Highlights

The following highlights provide a summary of the key takeaways from this article:

  • Event procedures can be defined once and reused across multiple event types, ensuring consistent responses and minimizing redundant configuration.

  • Each procedure consists of structured steps that guide analysts through actions such as running search queries, sending notifications, or opening dashboards.

  • Integrated directly into the Graylog interface, event procedures can be linked to event definitions, Sigma rules, and anomaly detectors, enabling seamless, in-context responses without manual interpretation.

  • By embedding actionable steps in the workflow, event procedures enhance clarity, reduce response times, and drive consistent, efficient security operations.

Event Procedure Components

Event procedures consist of two primary components:

  • The Event Procedure: The container that defines the overall purpose and structure of the response, much like an incident response playbook.

  • Event Procedure Steps: The individual actions to take or instructions to follow when you respond to a possible incident or event.

The Event Procedure

An event procedure serves as a container for one or more predefined response actions. It outlines the purpose of the response, such as addressing brute-force login attempts or detecting malware. When an event procedure is created, it is saved to your library of procedures, allowing you to reuse it as needed instead of recreating your remediation approach each time.

This feature enables teams to standardize remediation workflows, reduce configuration time, and maintain consistency across similar security scenarios. Event procedures can be linked to multiple event definitions, Sigma rules, or anomaly detectors; fostering a scalable and centralized approach to incident management within Graylog.

Event Procedure Steps

Each event procedure contains a step or series of steps that guide you through the response process. Steps can be static text or interactive actions embedded within Graylog. These interactive steps include the following capabilities: 

  • Search Query: Launch a predefined search to analyze related log data or select from your existing saved searches.

  • Notification: Send an email or alert to an individual or group.

  • Go To Dashboard: Navigate to a specific dashboard for contextual data.

When created, these steps are saved to your steps library and can be reused across multiple event procedures. This reuse promotes clarity, consistency, and execution efficiency during incident response.

Event procedure steps function as guided checklists or interactive workflows embedded directly within the Graylog interface. For example, not all security events require immediate remediation. Some may involve actionable next steps such as reviewing contextual data on a dashboard, initiating communication through a notification, or executing a predefined search query to identify related threats. By structuring these actions within an event procedure, Graylog allows analysts to transition seamlessly from detection to investigation to response, without ambiguity or reliance on manual interpretation.

Create Event Procedure

Creating an event procedure in Graylog is the foundational step in defining your incident response workflow.

To create a new event procedure:

  1. Navigate to Graylog Security > Security Events > Procedures.

  2. Click the Event Procedures tab.

  3. Select Create Event Procedure.

  4. Enter a title that clearly describes the use case (e.g. "Brute Force Remediation Procedure") and provide a description summarizing the intent and when the procedure should be used.

  5. Add event procedure step(s) by clicking on the New Step button or select from your existing library of steps by clicking on the From Library  button. You have the option to skip this step and proceed to saving the event procedure.

  6. Click on the Create Event Procedure button to save the created event procedure.

Create Event Procedure Step

After creating the event procedure container, you can add procedural steps. These steps define the specific actions or instructions that your organization should follow when responding to a security event, and they can be text-based instructions, system-driven actions, or a combination of both.

To create an event procedure step:

  1. On the Events Procedures page, click the Steps tab.

  2. Select Create Event Procedure Step.

  3. Enter a title that clearly describes the step(s) (e.g. "Follow these steps sequentially for brute force remediation") and provide a description detailing the steps to be followed.

  4. Toggle the Action button located on the top-right corner of the window to add actionable steps such as launching a search query, navigating to a dashboard for deeper analysis, or sending a notification to a team.

  5. Drag and drop actionable steps to change their order.

  6. Click on Create Event Procedure Step to save the created event procedure steps.

Employ Event-Specific Variables with Event Procedures

Event procedures in Graylog allow you to respond dynamically to specific log events or conditions. One of the most flexible and context-aware aspects of event procedures is the ability to use both pre-defined and custom fields from events and event definitions. This flexibility is enabled through Java Minimal Template Language (JMTE) formatting.

Event procedures and steps support dynamic access to context-specific data via JMTE formatting. This templating syntax allows you to insert and manipulate values from both event definitions and the resulting events directly into your procedure logic.

These values can be:

  • System-defined fields (e.g. ${event.timestamp}, ${event.message}).

  • Custom fields defined by you.

A list of pre-defined fields that can be used is defined in Alerts.

Manage Event Procedures and Steps

Effective management of event procedures ensures that your incident response workflows remain relevant, actionable, and aligned with evolving security threats and your organizational policies.

This section covers how to assign roles and permissions, share, view, edit, and delete both event procedures and event procedure steps.

Assign Roles and Permissions

Managing who can view, create, edit, or execute event procedures is critical to maintaining a secure and reliable incident response workflow. Graylog supports access control through role-based permissions, ensuring that only authorized users can manage or act on event procedures. There are two roles applicable to event procedures:

Role Type Description
Event Procedure Creator Allows creation of event procedures and steps.
Security Admin Grants read/write access to all Security features.

These roles are managed through the Roles section in Graylog:

  1. Navigate to Graylog General > System > Roles.

  2. In the Roles search box, search for and select either the Event Procedure or Security Admin role.

  3. Click on Edit Role .

  4. Locate the user or team using the search field, and click Assign User or Assign Team to assign the selected role accordingly.

Permissions are entity-specific, meaning that in order for a user or team to access an entity (such as a dashboard or saved search) referenced in an event procedure or its steps, they must have explicit permission to that specific entity.

Share Event Procedures and Steps

You can share event procedures and event procedure steps with users and teams; however, necessary permissions must first be granted. For example, if you share an event procedure that references an anomaly detector within its steps, the recipient must have either the Anomaly Detection Manager or Anomaly Detection Reader role to access the referenced entity.

To share an event procedure or step:

  1. Locate the event procedure or step.

  2. Click on the ellipsis next to the selected item and choose Share from the menu options.

  3. From the resulting modal, use the search field to select the desired user(s) and/or team(s).

  4. Click Add Collaborator to include them in the sharing list.

  5. Click Update sharing to finalize and apply the changes.

When sharing an event procedure or step, an information box displays whether the selected user or team has the necessary permissions. This allows you to review and grant the required permission sets before completing the share action.

For example, in the image below, a user is attempting to share an event procedure with user Bob Bobson, but the information dialogue highlights missing permissions required prior to sharing the procedure.

Hint: Event procedures and event procedure steps are managed as separate entities. To ensure full access, make sure to share both the procedure and its associated steps with the intended recipient.

View Existing Event Procedures and Steps

To view all configured event procedures and steps:

  1. Navigate to Graylog Security > Security Events > Procedures.

  2. Select the Event Procedures or Steps tab. Depending on your selection, a list of all existing procedures and event procedure steps will be displayed, including their titles and descriptions.

  3. Click on an event procedure to reveal details like associated event definition, entities, Sigma rules or anomaly detectors.

Edit an Event Procedure

To update the title, description, metadata, or delete an existing event procedure:

  1. Click the ellipsis next to the desired procedure on the Event Procedures page.

  2. From the resulting menu options, select Edit.

  3. Update the title or description fields as needed. You can also add event procedure steps when editing an event procedure.

  4. Click on Save Event Procedure to apply your changes.

Additionally, to delete a procedure, select Delete from the menu and confirm deletion in the prompt.

Manage Steps within a Procedure

To view and edit the steps associated with a procedure:

  1. On the Events Procedures page, click the ellipsis next to the desired procedure.

  2. Then select Edit.

  3. From here, the Edit Event Procedure window displays the event procedure and its associated steps. You can:

    Add a New Step

    • Click on + New Step to create a new step orFrom Library to add step(s) from your library of existing event procedure steps.

    • If you choose to create a new step, in the resulting modal window, fill in the required configuration fields and continue with the steps below. If you are adding steps from your library, select the steps to be added and click on Add Steps to add it to the procedure.

    • Add action steps if needed by toggling Action and selecting your required action type(s).

    • Select Create Event Procedure Step to save the step and to add it to the procedure.

    Reorder Steps

    • Drag and drop steps into the desired sequence. The new order is automatically saved.

    Remove a Step

    • Select the X next to the step you want to remove.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: