The Graylog blog

Threat Intelligence And Log Management: Security Through Automation

The constant evolution of security threats has long-since made preventing cyber-attacks and network intrusion attempts a nearly impossible task. Real threats are often hard to identify among a multitude of false alarms, and many experts understand that a well-integrated and fully-automated threat intelligence strategy is the best approach. Nevertheless, 70% of security industry professionals still believe threat intelligence to be too complex and bulky to provide actionable insights.

However, the main reason for this lack of trust lies with the inadequacy of many companies’ reporting processes. Without a proper centralized log management tool such as Graylog, integration of data coming from logs is extremely cumbersome, and a strong cybersecurity posture very hard to achieve. The Graylog Threat Intelligence Plugin integrates intelligent threat insight capabilities with automated log management and is a vital tool in the fight against cyber-threats.

How does threat intelligence work?

Threat intelligence works by identifying the “indicators of compromise” (IOCs) – a series of identifiable pieces of data that has been previously detected during a compromise attempt. All these indicators are collected into both open source and commercial databases known as threat intelligence feeds. Threat intelligence feeds represent fundamental sources of threat information that include all the necessary information about known threats – such as lists of globally blacklisted IPs and URLs, for example.

There are many threat intelligence feeds out there. Open source ones are, obviously enough, the cheapest choice, but they need a certain degree of micromanagement. Most of them get their indicators from the same sources, so duplication and overlapping of data is a definite possibility. Paid ones also require some form of active management since each one of them usually has a narrower scope. Threat intelligence platforms are the most expensive option, but they curate a large number of feeds and come equipped with easy-to-use APIs to integrate them all. We prepared a good guide if you want more information on how to select the right threat intelligence feeds and integrate them.

Staying ahead of network threats with threat intelligence

Security Information Event Management (SIEM) tools make wise use of centralized logs to store and analyze logs, as well as to monitor and correlate events in real-time to identify potential security breaches. Event correlation allows you to check whether your network was really compromised or not. Centralized log management is necessary to collect all the events across your network in one place where they can be correlated and compared to threat intelligence data to identify suspect activities. As you take your time analyzing these logs, however, hackers and intruders may keep wreaking havoc in your system. Manual analysis should be substituted with automatization, to be able to react as promptly as possible.

Automating everything as much as possible is critical to identifying network intrusions in a timely manner and mitigating the damage of a data breach. However, we all know very well how most Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) fell flat on their faces back then when nobody trusted their ability to distinguish between a potential intrusion and incoming traffic that was perfectly legitimate. Threat intelligence and log management represent the ultimate solution to all these problems.

By integrating your Log Management solution with a threat intelligence feed, threat data can be compared in real-time with data coming from your log entries to identify a potential breach. If a match occurs, Graylog will alert you either in real time or by adding it to a list for your review. Further integration and automation (perhaps using a Security Orchestration, Automation, and Response – SOAR – tool) can be used to block the potential threat at the host level as well as at the WAF, firewall, web gateway, or anywhere else.


Threat intelligence provides analysts with a sophisticated tool with which they can examine threats from a unique point of view, and obtain a deeper understanding of their context. It is a great opportunity to reduce your security team’s workload by automating many processes as well.

The Graylog Threat Intelligence Plugin is extremely easy to install, configure, and use (if you’re still confused, you can check our guide here). You can hook up our centralized log management solution with a specified threat intelligence feed provider, and improve your automated threat hunting strategies by efficiently shifting your SIEM from reactive to proactive.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.