The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.
Graylog Security provides you with an enhanced and unified view of all Graylog security components—security events, investigations, anomalies, sigma rules, and assets—in a single, accessible space. This unified view of all security-related components allows for seamless navigation through security functionality, utilizing widgets, metrics, notifications, and dashboards all from a central hub and eliminating the need to switch between different pages.
Key Features
Unified Security Space
-
Centralized User Interface: All Security features are accessible from a single location, providing a holistic overview of Security components without the need to switch between various pages.
-
Optimized for Security Tasks: The dedicated Graylog Security layout is optimized to provide tools and features specifically for security analysis allowing for targeted investigation.
-
Integrated Widgets and Metrics: You can interact with Security data through widgets and metrics, allowing for real-time analysis and monitoring of security events.
Granular Control
-
Permission Settings: Assign and manage permissions with refined control over who can view or edit security-related information, ensuring compliance with organizational policies and practices.
-
Alert and Event Management: Enhance your response to alerts and events by utilizing tailored options designed to address distinct security scenarios more efficiently.
Dual Layout Interface
-
General vs. Security Layout: Switch between the default Graylog General layout and the Graylog Security layout, depending on role and security licensing permissions.
Security Layout
To access the Graylog security layout:
-
Log in to your Graylog instance with the necessary permissions.
-
On the top navigation bar, click the Change UI perspective drop-down menu located beside the Graylog logo on the top-left corner.
-
Select Security.
Upon switching to the Security layout, you are presented with a welcome page:
-
Events & Alerts: This widget provides real-time insights into your current security events, enabling swift responses to detected threats. The Security interface allows for direct viewing of your security event and alerts via this widget.
-
Investigations: Here, you can track ongoing investigations by toggling between All Investigations and My Investigations, allowing for efficient management and resolution of security incidents.
-
Last Opened: This is a quick-access section for your most recently engaged Security components, allowing you pick up from where you last stopped.
-
Favorite Items: This widget provides quick access to your favorite tools and features.
-
System Overview: It provides an at-a-glance view widget of system health and activities, ensuring that all Security aspects are functioning optimally.
-
News: The latest updates, news, and announcements from Graylog are showcased here, keeping you informed about new features and best practices.
-
Recent Activity: This widget tracks the latest actions taken by users within the platform, offering insights into usage patterns and potential security maintenance.
-
Releases: Information about the latest Graylog releases, including updates, enhancements, and bug fixes is provided here.
In the Security layout, all features are located on the top navigation bar. These features remain consistent with those from the General layout but offer some extra functionality as described below.
Investigations Metrics Dashboard
Prerequisites
To view the metrics dashboard, the following are required:
-
Graylog 6.0 with OpenSearch 2.0.1 (or greater) or Data Node.
-
The OpenSearch index-management plugin must be installed.
Navigate the Metrics Dashboard
When you select the Investigations tab from the top navigation menu, you are presented with a comprehensive list of all investigations. To the right of this list, a dashboard view offers detailed metrics related to these investigations, providing a concise overview of all investigations.
The dashboard provides the following metrics:
-
Dwell Time: This widget tracks the amount of time a threat has persisted in the environment before being recognized as a threat. The value is calculated using the earliest log evidence timestamp in the investigation to investigation create time.
-
Time to First Response: This widget tracks when an investigation is created to when the initial edit is made or the first evidence is added. The value is calculated using the investigation create time to first investigation update or evidence addition.
-
Time to Detect: This widget tracks the duration between when an alert is triggered and when an investigation begins. The value is calculated using the alert creation date in the investigation evidence to investigation create time.
-
Time to Resolve: This widget tracks how long investigations take to resolve and is calculated using investigation create time to investigation close time.
-
Opened Investigations: This widget tracks the number of investigations that were opened.
-
Closed Investigations: This widget tracks the number of investigations that were closed.
Assign Roles and Permissions
Permissions
There are specific security event permissions that are required for using security events functionality. The following individual permissions are available for security events within the Security layout:
-
security_event:create
-
security_event:edit
-
security_event:read
-
security_event:delete
-
security_event:execute_notifications
: This permission enables the ability to send notifications for specific security events on demand (using the Send Notification button).
Events and Investigations Dashboard Widgets
-
Investigations widget: Requires the
investigations:read
permission to display results. -
Events widget: Requires the
security_event:read
permission to display results. The widget has built-in capability to display security event fields such as risk score, owner, status, and more. This permission is required for security events.
security_event:edit
operation is also required for the security_event:execute_notifications
action because it creates a SecurityEvent
in MongoDB for each notification that is sent.
Roles
These roles are selectable and can be assigned while editing a user. For convenience, the following roles are available by default:
eventdefinition
, eventnotification
, and investigations
permissions are needed in order to view security event details.
-
Security Events Reader
permissions:-
security_event:read
-
eventdefinitions:read
-
investigations:read
-
-
Security Events Manager
permissions: (This set includes allSecurity Events Reader
permissions and the following.)security_event:create
security_event:edit
security_event:delete
security_event:execute_notifications
eventdefinitions:create
eventdefinitions:edit
eventdefinitions:delete
eventnotifications:create
eventnotifications:edit
eventnotifications:delete
eventnotifications:read