Graylog Security

The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Graylog Security is an integrated security operations layer that extends your existing Graylog log management environment with full Security Information and Event Management (SIEM) capabilities, security analytics, and anomaly detection. Rather than requiring a separate security platform, Graylog Security embeds directly into your your Graylog deployment.

New to Graylog Security? The free Intro to Graylog Security Academy course gives you a hands-on walkthrough of the security interface and its core capabilities. Learn how to monitor, detect, and respond to threats.

Prerequisites

  • You must obtain a Graylog Security license to activate the Security product. Contact the Graylog Sales team for more information on purchasing and downloading this license.

  • It is recommended that you upgrade to at least Graylog 4.3 to utilize Security content to the greatest effect.

  • We strongly recommend you deploy Graylog with Data Node to simplify your data management and maximize your Graylog Security experience.

Hint: If you have deployed Graylog with self-managed OpenSearch, we strongly recommend using OpenSearch 2.19. If you are using Elasticsearch with Graylog, you must migrate to OpenSearch to make full use of all Graylog Security offerings.

Security Workspace

This workspace consolidates all security-related features into a single location, accessible from the top navigation bar. The Security tab provides access to the following features:

Threat Coverage

The Threat Coverage feature provides a visualization of the detections that are enabled in your environment and maps them to the MITRE ATT&CK Framework tactics. This allows security teams to quickly assess how well their environment is covered against known threat categories, identify gaps in detection coverage, and prioritize which areas need additional rules or monitoring. By aligning your detections with an industry-standard framework, the Threat Coverage functionality gives you a clear, actionable picture of your environment's defensive posture.

Activity

The Activity section provides dedicated dashboards for monitoring behavior across four key dimensions of your environment, including an Overview dashboard which displays high-level visual metrics from commonly investigated log data. These dashboards are as follows:

Overview: The Overview dashboard displays high-level visual metrics and other key security indicators for quick situational awareness.

User Activity: A dashboard centered around individual user behavior. Search for a particular user within the logs, review their actions, and visualize their interactions across various parameters. Typical user activities like authentications, permissions, account creation, logon attempts, logon failures, and logon successes are tracked and displayed here.

Host Activity: Displays log data emanating from specific hosts or devices. This dashboard supports security analysts in investigating the source of any unusual or significant event tied to a particular machine, server, or endpoint.

Network Activity: Focuses on monitoring network traffic patterns, segmenting activity by source, destination, usernames, IP addresses, and other network identifiers to help surface suspicious communication flows.

Asset Drilldown: Provides visibility into the behavior and risk posture of monitored assets, combining contextual information about users and machines with event data to support faster triage and investigation.

Investigations

The Investigations feature provides a centralized space for managing and tracking security investigations from initial detection through to resolution. Analysts can collect evidence, including messages, events, and anomalies into a structured investigation timeline.

Anomalies

The Anomalies feature is powered by Graylog's AI/ML Anomaly Detection engine, which learns the baseline behavior of your IT environment and alerts on deviations from normal patterns.

Sigma Rules

Sigma Rules allow you to create and manage detection rules using the open Sigma standard to identify known threats across your log data.

Assets

The Assets feature provides an inventory of the users and machines across your environment, enriched with contextual data to support risk-based prioritization. Key capabilities include:

  • Asset-Based Risk Scoring: Organizes and prioritizes alerts by the risk posed to a specific asset (user or machine) using topology-aware risk scoring, resulting in more efficient triage and less alert fatigue.

  • Vulnerability Scan Ingestion: Automatically ingest vulnerability scan reports from tools such as Nessus, CrowdStrike, and Microsoft Defender to calculate higher-fidelity risk scores based on known vulnerabilities.

  • Asset Context in Investigations: Simplifies security investigations by surfacing information about who is performing actions and on which machines, directly within the investigation workflow.