2025-12-22 A log correlation engine automates the process of linking fragmented event data across diverse systems, transforming raw logs into real-time, actionable insights. By normalizing data and applying correlation rules, it reduces alert fatigue, accelerates incident detection (MTTD), and enables faster root cause analysis for improved security and operational efficiency.
Continue reading2025-12-22 A log correlation engine automates the process of linking fragmented event data across diverse systems, transforming raw logs into real-time, actionable insights. By normalizing data and applying correlation rules, it reduces alert fatigue, accelerates incident detection (MTTD), and enables faster root cause analysis for improved security and operational efficiency.
Continue reading2025-12-22 A log correlation engine automates the process of linking fragmented event data across diverse systems, transforming raw logs into real-time, actionable insights. By normalizing data and applying correlation rules, it reduces alert fatigue, accelerates incident detection (MTTD), and enables faster root cause analysis for improved security and operational efficiency.
Continue reading2025-12-22 A log correlation engine automates the process of linking fragmented event data across diverse systems, transforming raw logs into real-time, actionable insights. By normalizing data and applying correlation rules, it reduces alert fatigue, accelerates incident detection (MTTD), and enables faster root cause analysis for improved security and operational efficiency.
Continue reading2025-12-22 A log correlation engine automates the process of linking fragmented event data across diverse systems, transforming raw logs into real-time, actionable insights. By normalizing data and applying correlation rules, it reduces alert fatigue, accelerates incident detection (MTTD), and enables faster root cause analysis for improved security and operational efficiency.
Continue reading2025-12-22 A log correlation engine automates the process of linking fragmented event data across diverse systems, transforming raw logs into real-time, actionable insights. By normalizing data and applying correlation rules, it reduces alert fatigue, accelerates incident detection (MTTD), and enables faster root cause analysis for improved security and operational efficiency.
Continue reading2025-12-15 Cloud SIEMs solve the scalability and cost issues of traditional on-premises SIEMs by leveraging cloud-native resources. They offer flexibility, improved cost-effectiveness, and massive scalability for security data analysis. This enables robust threat detection, incident response automation (MITRE ATT&CK), and better insights across complex hybrid environments.
Continue reading2025-12-08 The Model Context Protocol (MCP) inside Graylog delivers explainable AI assistance to the SOC, addressing the failure of fully autonomous tools. MCP enables faster, friction-free investigations by linking natural language queries to logs, enforcing governance, and providing verifiable context. This system helps security teams combat AI-orchestrated threats efficiently, yielding tangible ROI.
Continue reading
Added alert_severity_level mapping based on event_action where applicable.
Added support for additional vendor_event_action values, including encrypt and decrypt. Restructured existing vendor fields to better align with log output: vendor_event_outcome is now vendor_event_action; vendor_event_outcome_reason is now vendor_event_action_reason; vendor_event_action is now vendor_event_operation.
Added support for New Extended Incident logs. Included basic parsing for RPC formatted GravityZone logs for possible future extension via Filebeat testing.
Added support for status code 0xC0000413 – STATUS_AUTHENTICATION_FIREWALL_DENIED.
New content pack for Microsoft IIS (Internet Information Services), which is used for hosting web applications and services on Windows. Integrates tightly with ASP.NET and Windows Server ecosystem.
New pack for Amazon Kinesis, supporting the parsing and categorization of AWS VPC Flow logs via AWS Kinesis for real-time data streaming and analysis. Future support for other log types may be added.
New content pack for 1Password logs, supporting the centralized storage and management of credentials, API keys, and sensitive information for improved security and simplified credential management.
New content pack for Cisco Business 350 Series Switches, supporting managed Layer 3 network switches designed for small and medium-sized businesses.
Added a Content Pack that supports the AFM and ASM module.
Fixed IPFIX message identification and added support for different set fields.
Fixed wrong input name.
Modified base extraction regex to make syslog header info optional, enabling sending to a syslog or raw tcp input.
Moved alert_severity_level lookup data to its own .csv to address lookup complaint of duplicate values.
Corrected issue mapping vendor_event_type: changed-promiscuous-mode-on-device.
Fixed CmdSet parsing so the full command is returned as vendor_cmdset, dropping CmdAV and CmdArgAV.
Fixed wrong search path in the New Incidents Count widget.
Improved rule: Illuminate – Windows Security – Active Directory Database Snapshot Via ADExplorer. The detector now covers execution of the 64-bit variant of ADExplorer.
Fixed filter causing inconsistent results in the dashboard.
Changed NetFlow IPv4/IPv6 renames and field types.
Streamlined identification rule logic to be more efficient.
Converted the use of multiple grok patterns per rule to use multi_grok for efficiency. Also, standardized gim_event_type_code mappings to align with detection categories and reclassified subtypes from alert to detection across multiple packs (e.g., Defender, Snort, Stormshield, Palo Alto, Fortigate, etc.).
Renamed spotlight title.
Modified index templates to copy hash related fields (e.g., hash_md5, file_hash_) to associated_hash. This provides additional context to hash objects.
Updated colors for widgets that reference event_action to reflect schema.
Changed gim_event_category from alert to detection. The dashboard now supports both categories.
Changed GIM codes for network events from 129999 (default) to 120200 (open) and 120300 (close).
Disabled dynamic date detection for all Illuminate indices to fix mapping errors caused by inconsistent field formats.
Changed DNS request categorization to exclude NBSTAT.
Added support for MITRE ATT&CK Enterprise attacks_technique_uid & attacks_tactic_uid string values.
Removed redundant type assignment in 22-o365_scc_categorize_alerts rule.
Removed a possible leading forward slash for the source field (fixes issue when hostname is empty).
Removed deprecated ‘Compliance Content Spotlight (Deprecated)’ spotlight.
DEPRECATED: The Palo Alto 9.1x Spotlight and associated processing content have been deprecated. Users should transition to the Palo Alto 11 Content Pack.
About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
HOUSTON — Nov. 3, 2025 — Graylog, a leading provider of SIEM and threat detection solutions, today launched its Graylog Security Fall 2025 release (Version 7.0). The latest version introduces AI-driven insights, Model Context Protocol (MCP) Server Access, and Amazon Security Data Lake integration, enabling Security Operations Centers (SOCs) to operate with greater clarity, speed, and cost efficiency.
The new platform features AI-enabled dashboards for instant, explainable insights into threats. It provides MCP Server access, which securely connects Large Language Models (LLMs) directly to Graylog data for natural language queries. These capabilities deliver measurable efficiency gains for teams that need to accomplish more with fewer resources.
“Our focus is on helping them take back control, with practical AI that drives faster insights, smarter investigations, and measurable efficiency. With this release, we’re giving teams explainable AI they can trust. By combining innovation with simplicity, and AI with human insight, organizations can meet security challenges head-on with technology that works for them.”
— Seth Goldhammer, Vice President of Product Management at Graylog
This release introduces Graylog MCP Server Access, a secure new way for teams to interact with their Graylog environment through natural language. The MCP Server securely connects user-approved AI agents or LLMs to Graylog, adding a conversational layer for querying and analysis—fully governed by user permissions and license tier.
This capability boosts productivity and awareness by providing a faster, more intuitive way to interpret and act on security data.
Graylog 7.0 introduces support for external data lake connectors to AWS Security Data Lake. This feature is crucial for controlling costs and managing complexity in hybrid cloud environments.
This capability allows customers to reduce unnecessary transfer costs, storage usage, and licensing impact by keeping log messages not aligned with active analytics in AWS.
Built for lean, outcome-driven teams, Graylog unifies log management, SIEM, and AI-powered threat detection and investigation in a single, scalable platform. Unlike legacy SIEMs weighed down by cost and complexity, Graylog Security delivers transparent and understandable AI.
Every alert, summary, and recommendation is explainable, empowering security teams with clear context and control to respond faster and smarter.
About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
