Graylog Security
  • 31 May 2022
  • 2 Minutes to read
  • Dark
    Light

Graylog Security

  • Dark
    Light

Overview

Graylog Security works in tandem with your existing Graylog environment and features expanded SIEM, security analytics, and Anomaly Detection capabilities. It provides you with a new workspace that includes pre-configured dashboards representing the most significant event and anomaly log data in a central location.

Prerequisites

Note

Please note that OpenSearch is the required data service to support the Anomaly Detection tool included in your Security product. You may use OpenSearch v1.2 or v1.3; however, we strongly recommend using OpenSearch v1.3 (latest version) to optimize user experience. Depending on your organization's needs, you may install the OpenSearch service or migrate an existing Elasticsearch setup to OpenSearch as necessary.

Security Dashboards

Five out-of-the-box dashboards are included in the Security tool: Overview, User Activity, Host Activity, Network Activity, and Anomalies. (The Configuration selection allows you to configure your Anomaly Detection tool, as described in the related user guide.)

Analyst tools icons.png

  • Overview: The Overview dashboard displays visual metrics concerning some of the most commonly investigated log data, including logon attempts, logon failures, message counts, etc.

Overview.png

  • User Activity: As the title suggests, this is a dashboard centered around user activities. With this dashboard you can search for a particular user within the logs, review their activities, and visualize their interactions across various parameters. Typical user activities like authentications, permissions, account creation, logon attempts by username, logon failures, logon successes, and more are tracked and displayed in this location.

User Activity Dashboard.png

  • Host Activity: Similar to User Activity, this dashboard displays log data emanating from specific hosts or devices. It supports the security analyst in investigating the source of any unusual or significant event.

Host Activity Dashboard.png

  • Network Activity: The Network Activity dashboard focuses on monitoring network traffic, designating usage by source, destination, user names, IPs, etc.

Network Activity Dashboard.png

  • Anomalies: This dashboard provides a snapshot of any anomalous activity occurring in your environment depending on the specific detectors you have enabled. See the Anomaly Detection User Guide for a detailed look into this tool.

Anomalies Dashboard.png

Drill Down View Use Case

With the seamless integration of Graylog tools, the Security product is enhanced by allowing you to investigate specific user profiles more closely in the drill down view.

In the following use case scenario, after noticing some unusual behavior patterns in the Anomaly Detection dashboard, we decide to investigate further data points associated with a selected user name in the drill down view.

  1. Click on the selected user name to open the dropdown menu.
    User dropdown.png
  2. Select the "Insert into view" option.
  3. Select a drill-down view. Users can drill down on a user based on a user account or by IPs and hostnames.
    Drill down options.png

So, for this example, we see a drill-down view on the username "kumar." All activities associated with this user are displayed in this drill-down view, displaying user-focused widgets such as "Events by Category Over Time," "Top 10 Associated IP Addresses," "Network Bytes Over Time," and much more.
Drill down.png

This capability allows analysts a prebuilt investigation workflow, allowing consistent outcomes no matter who is performing the investigation. It also narrows their focus on a select user's activities across the entire monitored system.


Was this article helpful?