Investigate and Remediate Threats

Threat detection is only the first step in effective security operations. Once suspicious activity is identified, your team must investigate the context, confirm the severity, and take appropriate action. Graylog provides built-in tools that streamline this process, allowing analysts to transition from detection to response with clarity and efficiency.

This section of the documentation introduces key features that help you collaborate on cases, collect supporting evidence, and define consistent response actions to improve your organization’s security posture.

Investigations

Investigations provide a structured way to collect and organize evidence—such as dashboards, logs, saved searches, and events—into a single workspace. Analysts can quickly create investigations, associate events, prioritize tasks, and assign ownership to streamline collaboration and accelerate incident analysis.

Investigations also support full workflows like updating statuses, performing bulk actions, and generating AI-powered reports that summarize findings.

Graylog can automatically create a new investigation for each triggered alert or add alerts as evidence to an existing investigation. This integration streamlines incident response by organizing alerts into structured investigations, helping analysts efficiently manage and prioritize security events without manual effort.

Remediation Steps

Remediation steps allow you to document and standardize necessary response actions if suspicious activity is discovered in your environment. These steps can be tailored to your organization and linked directly to investigations or security events. Integrating remediation into the investigation workflow ensures consistent, complete responses and supports audit and compliance efforts by making security actions transparent and repeatable.