Security Events
The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.
A Graylog security event may represent a critical incident or activities logged by the Graylog platform indicating possible threats to system integrity and security. These events range from failed login attempts and unusual network traffic to potential malware. You can define rules and criteria to detect these events and configure alerts to ensure prompt identification, triage, and investigation of suspicious or critical activities.
In this article we will discuss events and alerts as they pertain to the Graylog Security product and within the Security interface. To learn more about how event definitions and alerts work in the core Graylog application, please see the general events documentation.
Manage Security Events
The Security Events tab contains Alerts, Definitions, and Notifications. These components work together to enhance your event monitoring and incident response capabilities.
Events in both the Graylog General and Security perspectives function much the same; however, alerts in the Graylog General perspective are static as they only provide information, while alerts received in the Security perspective are actionable and tailored to security-related operations, allowing you to create enhanced workflows for triage, investigation, incident management, and incident response.
To view and manage events in the Security Events tab:
-
Navigate to the Graylog Security interface.
-
Click on theSecurity Events tab.
Now, we will review some key terms helpful in understanding how security events work through the Graylog Security interface. It is highly recommended that you also review the event management documentation for a more comprehensive explanation of these terms.
Event Definitions
Event definitions are crucial for automating the detection of important events or anomalies that could indicate security incidents, operational issues, or other significant occurrences in your IT environment. For example, an event could be a change made to a firewall policy or a failed login attempt by a blacklisted IP address. Graylog Security helps you manage your security events by allowing you to define specific criteria for what constitutes an event and alerts you when your log data matches your defined condition(s).
There are two main ways to create a new event definition:
Event Types
When defining an event in Graylog, there are two types of event conditions: filter and aggregation and event correlation.
Filter and Aggregation
Filter and aggregation conditions in Graylog allow you to define events based on criteria that filter and aggregate log messages. This involves setting conditions that filter incoming messages and then aggregating them to determine if they meet specified thresholds or patterns.
For example, an aggregation event type might include:
-
Threshold-Based Events
-
Define an event that triggers when a certain number of log messages matching specific criteria are received within a defined time window. For example, trigger an event when over 100 failed login attempts occur within 5 minutes.
-
-
Pattern Recognition
-
Detect events based on patterns in log messages, such as a web request for a commonly exploited endpoint, indicating a potential attack.
-
Event Correlation
Event Correlation conditions allow you to create events based on relationships or sequences of log messages across multiple sources or streams. This involves defining conditions that identify patterns or sequences of events rather than simple aggregation.
For example, an event correlation type might include:
-
Sequence Detection
-
Trigger an event when a specific sequence of events occurs within a short time-frame across different logs or systems. For example, detect a sequence of network access logs followed by firewall rule changes indicating a potential security policy violation.
-
-
Multi-Source Correlation
-
Combine logs from different sources (e.g. web server logs, database logs) to detect correlated events, such as a sudden spike in web traffic coinciding with a database performance degradation.
-
-
Anomaly Detection
-
Identify anomalous patterns or behaviors that span multiple log sources, such as simultaneous access attempts from geographically dispersed IP addresses, suggesting a coordinated attack.
-
Alerts
Alerts within the Graylog Security platform provide visibility into the status and progression of security incidents and allow you perform various actions directly from the alert. When an alert is triggered, it provides a detailed overview of the security event and enables various actions to streamline response efforts. The key actions available are:
-
View and update the status of the alert: Examine the current state of the alert, including its severity and any relevant details. Update the alert status to reflect changes or resolutions.
-
Assign the alert to an owner: Designate a specific user or team responsible for investigating and resolving the alert.
-
Create an investigation from an alert: Initiate a detailed investigation directly from the alert.
-
View associated investigations: Access and review investigations related to the alert. This provides context and helps in understanding the broader scope of the incident.
-
Send a notification: Distribute alerts via notifications to relevant stakeholders or security teams. This ensures that the appropriate personnel are promptly informed and can take necessary actions.
-
Replay a search: Re-execute the alert’s criteria as a search query within Graylog to obtain additional contextual information.
-
View associated assets: Identify and examine assets linked to the alert. This includes viewing details about affected systems, users, or network components, which aids in assessing the impact and scope of the incident.
Notifications
Notifications provide real-time alerts about security events. You can configure Graylog to send these notifications to relevant stakeholders or various channels, including email, Slack, or MS Teams.
This integrated approach to security event monitoring improves overall cybersecurity by streamlining alert management and response workflows, thereby enhancing your threat detection and incident response capabilities.
Utilize the Security Events and Alerts Workflow
As log messages matching the criteria defined in your event definitions are received, Graylog evaluates them against the conditions specified and triggers an alert, if enabled. Let's explore a scenario that highlights the security events workflow, from creating an event definition to completing an investigation based on the alert notification.
Use Case Scenario
In this scenario, Sally, a newly hired security analyst, is enhancing security event monitoring within her organization. As part of this effort, she has defined an event to monitor failed login attempts to detect potential brute-force attacks or unauthorized access attempts. This event definition triggers an alert when there are more than five failed login attempts from a single IP address within five minutes and sends an email notification.
To set up this event definition, from the Graylog web interface, Sally navigates to Graylog Security > Security Events and clicks on the Create event definition button located on the top right corner of the Event Definitions page. Using the event definition wizard, Sally configures the event definition as follows:
-
Title: Failed Login Attempts
-
Description: Detects multiple failed login attempts from a single IP address
-
Remediation Steps (Optional): Lock out IP addresses
-
Priority: High
-
Event Type: Filter & Aggregation
-
Filter:
-
Search Query:
event_code: 4625
-
Search within the last: 5 minutes
-
Execute search every: 5 minutes
-
Create Events for Definition if: Aggregation of results reaches a threshold
-
-
Aggregation:
-
Group by Field(s) (Optional):
source_ip
-
-
Condition:
-
If count(source_ip) > 5
-
-
Notifications
-
Send email notification when this event is triggered.
-
The event definition is configured, and here is a summary of its details:
Then, Sally receives an email notification alert, triggered by the “Failed Login Attempts” event definition.
The alert indicates a high risk score, so she immediately prioritizes this alert, changes the status of the alert from New to Investigating, assigns the alert to herself as the owner, and creates an investigation from an alert by adding the alert to a new investigation. Sally then proceeds to send a notification to her team, by clicking on the Send Notification button within the alert as she reads the remediation steps and delves into investigating the issue.
To begin the investigation, Sally clicks on the Replay Search button located on the top left corner of the alert to run a search query on the event and dig into the log data. Now, Sally has contextual information about the nature of the alert, associated assets, the source of the event, usernames, and other important pieces of information relevant to the investigation.
Sally utilizes her organization's incident response playbook on dealing with potential brute force attacks in addition to remediation steps contained in the alert to investigate the security event and successfully blocks the brute force attack.
Once the investigation is concluded, and Sally updates the status of the alert to "Closed," this concludes the workflow.