What’s New In Graylog V6.0

In this video, Jeff Darrington and Seth Goldhammer present the latest updates in Graylog’s Version 6.0, focusing on improvements in data management, user workflows, and security content. Seth explains how these updates streamline administrative tasks and enhance the efficiency of security investigations. The live demo showcases the new investigation interface, customizable dashboards, and innovative data management features like data tiering for cost-effective storage.

Video key takeaways:

  • Learn about time-saving features like automatic investigation workflows and incident tracking.
  • Discover new data management improvements, such as data tiering for cost-effective storage.
  • See the live demo showcasing Graylog’s revamped navigation, enhanced security features, and custom dashboards.

Jeff Darrington: Good morning or good afternoon, depending on where you are. Welcome to Graylog’s “What’s New in Version 6.0.” I’m Jeff Darrington, the Director of Technical Marketing. Joining me today is Seth Goldhammer, our VP of Product Engineering. If you missed us at RSA, Seth is here today to walk us through the latest updates. Welcome, Seth!

Seth Goldhammer: Thanks, Jeff. Welcome, everyone! Feel free to use the chat anytime throughout the session for any feedback or questions. We’ll try to address as many questions as possible, either during or at the end of the session. Today, we’re going to dive deep into the product and show you all the exciting new features.

Jeff Darrington: Absolutely. With that, Seth, I’ll hand it over to you. You’ve got some slides and interesting information to share with us.

Seth Goldhammer: Thanks, Jeff. The 6.0 release really started about six months ago. You’ve seen updates through versions 5.1, 5.2, and now 6.0, with 6.1 coming later this year. We’ve standardized around a six-month release cadence, which allows you to plan around major updates, even though we still introduce new features in our monthly patch releases. Additionally, our Illuminate content updates, which come out every two months, might move to a monthly cadence as well.

In 2024, we’ve been focusing on three areas: data management, user workflows, and enhancing our curated security content. We’ll dive into all these aspects today and show how these improvements reduce administrative overhead and make managing Graylog more efficient.

Let’s start with a high-level overview before diving into the live demo. From the analyst’s perspective, we’ve made it easier to get started, manage day-to-day tasks, and quickly resolve issues using Graylog. Illuminate and Spotlight content are a big part of this.

Jeff Darrington: Seth, how would you define Illuminate and Spotlight for our users?

Seth Goldhammer: Illuminate and Spotlight provide pre-built content for your logs, offering parsed data, dashboards, and other useful insights right out of the box, especially with Enterprise and Security Edition licenses. New content is automatically included with your existing license, so you’re always getting updates without needing to purchase additional packages.

Additionally, we’ve partnered with SockPrime to include Sigma rule content, allowing you to detect specific threats in your environment. Our Illuminate content combines Graylog’s own dashboards, event definitions, and searches with SockPrime’s threat detection rules, making it easier to detect and respond to potential security issues.

In today’s demo, you’ll see how these features enhance the analyst’s workflow, helping guide you through triaging alerts, investigating incidents, and resolving security issues efficiently.

Let’s get into the live demo now and showcase some of these features. Jeff, any thoughts before we jump in?

Jeff Darrington: I think the audience is excited to see the product in action!

Seth Goldhammer: Great! Starting with the new security perspective in Graylog 6.0, you’ll notice we’ve revamped the navigation, making it easier for analysts to focus on their tasks without being bogged down by administrative functions. I’ve created a custom dashboard here, showing widgets for open investigations and new alerts, which I’ve sorted by risk score to prioritize high-risk activities. You can easily filter and sort this information based on your needs.

Let me demonstrate how we can investigate a potential user compromise. I’ve flagged an alert related to a suspicious login process, and Graylog automatically provides remediation steps. I can also replay the surrounding log events to get more context. As I dig deeper, I see that a suspicious PowerShell command ran after an Excel file was opened—clearly a sign of a phishing attack.

I can add this information to my investigation and continue tracking all related events, such as emails and firewall logs, to get a complete picture. All of this is done quickly within the new investigation interface, which allows me to automatically capture key milestones and understand the scope of the issue.

Jeff Darrington: The ability to automatically gather and organize all relevant assets, users, and systems involved in an investigation is such a time-saver. It cuts down on a lot of the manual work that used to involve copying and pasting data from different sources.

Seth Goldhammer: Exactly! And as you progress through investigations, Graylog will capture key milestones, helping you measure efficiency and identify areas for improvement, such as tuning alerts or triaging faster.

We’re also excited about some updates on the data management side, like the new data tiering feature. Now, hot data can automatically move to a warm tier for more cost-effective storage, while still being searchable without any manual intervention. This can greatly reduce storage costs while maintaining good performance, with searches taking only a few seconds longer in the warm tier.

Jeff Darrington: That’s a huge advantage for customers who need long-term storage but want to avoid high costs.

Seth Goldhammer: Absolutely. We’re also introducing index field type profiles, allowing you to apply consistent field types across multiple pipelines more easily, which is especially helpful for larger deployments. And for our enterprise customers, we’ve improved archive performance by enabling multi-threading, making the archive writing process faster and more efficient.

Jeff Darrington: We’ve covered a lot of ground today. Shall we open it up for questions?

Seth Goldhammer: Yes, let’s do that.