The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Graylog Security incident Investigations provide a solution for analysts to quickly gather and analyze data in real time, allowing you to view the full context of an issue or threat without spending hours trawling through logs.

With Graylog Investigations, you can:

  • Create investigations based on timelines, data sets, events and alerts.

  • Associate events with investigations

  • See associated data points grouped in a single location.

  • Create and reuse investigations to save time and effort.

  • Quickly narrow down results.

  • Collaborate with multiple users on investigations by sharing, assigning, and notifying assignees.

Prerequisites

  • A valid Graylog Security license is required. Contact the Graylog Sales team for more information on purchasing and downloading this license.

How It Works

Investigations are essentially a collection of items within Graylog comprising dashboards, logs, searches, and events (collectively called “evidence”) that are all grouped in one place. You can create a new investigation, update an investigation, delete and archive investigations.

There are three primary menus on the Investigations page:

  • Open: Displays all open investigations.

  • Archived: Displays all archived investigations.

  • Config: Configuration options for managing priorities and status settings.

Default Priority and Status

On the Config tab, you can designate a default priority and status for new investigations. Hovering to the left of the edit button on any priority or status will reveal a Set Default button. Clicking this button will designate that priority or status as the default option when creating a new investigation.

Create a New Investigation

The following instructions detail how to manually create a new investigation with Graylog. To automatically generate a new investigation based on an alert from a defined event, see the related documentation.

  1. In Graylog, select the drop-down menu on the Graylog logo and click Security. You have now changed your view to the Security layout where all your security-related content is located. Select Investigations from the top-level menu.

  2. On the Investigations page, click the New Investigation button, and a window appears, prompting you to fill out details of a new investigation:

    • Name: Provide a unique name for your new investigation.

    • Assign To: Select other users/teams to which you can assign the new investigation. (Note that only users with the Admin, Investigations Manager, or Investigations Reader roles are able to be assigned to investigations.)

    • Priority: By default, there are four priority types: Low, Medium, High, and Critical. However, you can edit the priority settings via the Config tab on the Investigations page. You can create new priority types, determine the order in which the priorities should rank, and delete as needed.

    • Status: By default, there are four statuses: Open, Investigating, Closed, and False Positive. You can also edit the status settings via the Config tab on the investigations page. You can create new status types or delete existing ones.

    • Notes: Here, you can collect ideas, thoughts, and notes connected to an investigation to share with others.

  3. Fill in the details and click Confirm to create a new investigation. The newly created investigation will appear on the Investigations page, and you can start adding evidence to it as you navigate through your data.

Add Evidence to Investigations

After creating a new investigation, the next step is to add evidence to it. You can add dashboards, logs, searches, and events as evidence entities. 

This section details how to add evidence to an investigation manually; however, you may also opt to add evidence to an existing investigation automatically based on an alert created from a defined event. For more information on this process, see Investigations and Alerts.

Searches

Searches allow you to quickly and efficiently find relevant information regarding an investigation. You can add saved searches as evidence to investigations directly from the saved search by clicking on the ellipsis icon to the right of the search bar and opting either to add to the active investigation or to another existing investigation.

Hint: Both absolute time ranges and relative time ranges may be selected upon saving your search. See the section on relative time ranges for more details.

Dashboards

Dashboards are helpful for visualizing data and understanding trends over time, which can be relevant to any investigation. You can add dashboards as evidence directly from the Dashboards page itself by clicking on the More drop-down action button and selecting either to add to the active investigation or another investigation.

Note that both absolute time ranges and relative time ranges may be displayed in widgets as with saved searches. See the section on relative time ranges for more details.

Logs

Individual logs can often be useful as key pieces of source data for an investigation. Any relevant log can be directly added as evidence by clicking on a search result and, from the Investigations sub-menu, selecting either to add to the active investigation or another investigation.

Events

Alerts and events are often the most important pieces of evidence for an investigation. For instance, if an alert for several unsuccessful login attempts is triggered, then you can jump right into an investigation by adding the events as evidence directly from the Events page itself.

Depending on your index rotation and archiving configuration, older logs and events can be removed from an investigation. In order to ensure pieces of evidence attached to investigations are available even after their source data is gone, we created two streams:

  • All Investigation events: This streams all investigation events across all investigations.

  • All Investigation messages: This streams all investigation messages across all investigations.

Any log and event evidence added is duplicated in these streams to preserve them.

Associated Assets

Associated assets are pulled from Log and Event evidence when retrieving individual investigations. Those assets are returned with the Investigations in an associated_assets field.

Assign Investigations

Once you have added pieces of evidence to an investigation, you can assign the investigation to other users or teams. Investigations can be assigned at the point of creating a new investigation or subsequently by editing an existing investigation.

Enable Investigation Assignment Email Alerts

Email alerts can be assigned to investigations. This functionality is enabled by default for existing installations. To disable this setting:

  1. On the Investigations page, navigate to the Config tab.

  2. Locate the Enable Investigation assignment email notifications capsule button and toggle to disable this setting.

When enabled, email alerts will be sent to both the user and the assigned team(s) involved in the investigation. These alerts are triggered immediately upon assignment.

Warning:This feature requires that the transport_email_server configuration setting (server.conf) is properly configured to allow your Graylog instance to send emails. If these parameters are not configured properly, the email will not be sent.

Update Investigation Status

Let’s say you have concluded an investigation and you are ready to close the investigation. From your Investigations page:

  1. Select the Investigation to be closed.

  2. Click on the Edit button located at the top-right corner of the resulting page.

  3. Update status selection to Closed from the Edit Configuration modal window.

This ends an open investigation. However, closed investigations are still editable and can be assigned to users or teams.

To fully close an investigation, making the investigation inaccessible, you must archive the investigation:

  1. Click the vertical ellipsis to the right of the selected investigation.

  2. From the resulting drop-down menu options, choose Archive.

This action removes the investigation from the Open tab to the Archived tab. At this point you cannot make any edits to the archived investigation.

If an investigation was archived in error, click the ellipsis to the right of an investigation in the Archived tab and select Restore. You can also bulk restore archived investigations by selecting the check boxes for the archived investigations from the Archived tab, click the Bulk Actions button drop-down, and select Restore. This restores the archived investigations into the Open tab so you can interact with the investigation.

Perform Bulk Actions

You can perform bulk archiving, assigning, and deleting tasks in the Investigations menu

To perform bulk actions, navigate to the Investigations page, select the investigations by clicking on the checkbox, and click the Bulk Actions drop-down to assign, archive, or delete multiple investigations.

Roles

Graylog includes two roles in user permissions related to investigations:

  • Investigations Manager: With this role, you have full control over investigations.

  • Investigations Reader: With this role, you have read access to investigations only.

WarningPlease check your permissions settings to ensure that users and teams have the required access to investigations and any additional permissions for evidence entities. For instance, if an investigation contains a dashboard as evidence, the assignee cannot view or add to the dashboard without permission to view dashboards, even if they can view/edit the investigation itself.

Determine Relative Time Or Absolute Time Ranges

Often searches are conducted using a relative time line, such as "everything from the last hour." Considering this, when you decide to include a saved search as evidence to an investigation, Graylog will now prompt you to either convert the logged times to absolute time or maintain the relative search. Opting to convert to relative time will result in the system duplicating your saved search, preserving the absolute time parameters, and labeling the saved search as Absolute Time. This allows you to utilize either search as necessary.

Support Markdown in Investigation Notes

Investigation notes have a custom markdown editor. The custom markdown editor significantly enhances the note-taking experience by allowing you to structure and format your notes using features such as headers, bullet points, tables, numbered lists, code snippets, and hyperlinks.

The markdown editor preview feature enables you to view the final output, allowing you to rectify errors and discrepancies before saving.