Graylog Enterprise, Graylog Security

Introduction to Search Workflow

The ol’ 80/20 rule: about 80% of the time you are running the same analyses over and over again, especially if you are an MSP, MSSP, or MDR. Whether you’re trying to track down a particular user session to figure out what went wrong or you were alerted to a potential threat and need to do some threat hunting, you need to gather the same types of data every time, and then keep going from there based on the results.

With Graylog’s Search Workflow, you can build and combine multiple searches for any type of analysis into one action and review your delivered results on a dashboard-like screen(or multiple tabs for really complex tasks).

Best of all, you can easily save and share Search Workflows to ensure consistency, save time and empower more junior team members.

How it Works

Start with one or more input parameters so you don’t have to copy and edit an old query just to change an ip address, mac address, user id, etc.; and even chain queries together so the results of one search become the input parameter to the next.

To keep your search results lightening fast, be sure to set up pipelines and streams correctly so you can easily limit your search to only relevant data. From there you can build your Search Workflow by adding one or more extended searches and specifying the type(s) of input parameter(s) an analyst should initiate the search with. For repetitive tasks, save and share your search workflow for later reuse.

Just like dashboards, you can drill-down into the charts produced by your search workflow and even turn the results into a dashboard with just a click or two.

Examples

Tracking authentications across multiple platforms is a natural fit for Views as you can filter multiple streams with the userid. Imagine the operations team using a shared View where they can see the successful authentications, lock-outs, and failed authentications for your primary IAM, VPN, EDR, and SAML gateway all in one place by entering a single parameter.
Network operations teams will be able to easily leverage Views for tracking user or workstation movements. Need to investigate wireless DHCP usage? Enter a MAC address, and the relevant workstation information can be populated from AD, DHCP, and NAC/wireless.
Need to audit AD? You can use a View that pivots around group membership and group creation. Views support multiple parameters, so building tabs that cover both Users and Groups would follow nicely.
Security analysts can use parameters to track users or devices that are bridging the Trust/Untrust gap, or devices that are at risk of mixing auditable data with “out of scope” data.

Frequently Asked Questions

Do Search Workflows replace Dashboards?

Search workflows, on the other hand, are meant for retrieving specific data around a particular incident. While the structure of the workflow may remain the same for many tasks, the starting input and resulting output will change each time. They can also be used for one-time research needs without cluttering up your Graylog console, but should you identify something that needs regular review it is just a click or two to turn a search workflow into a dashboard.

How many parameters can you set?

Unlimited, but we recommend keeping it to between one and 3. After that you’ll be creating such complex queries that you’re unlikely to return any data, let alone meaningful data.

Can I save or export the results?

Yes, you can save and export the results from a single running of the search workflow if needed.

Will a Search Workflow work if the user is allowed access to only some of the Streams used by it?

Yes, the search workflow will continue to work, but depending on the streams that the user has access to, some of the widgets and fields might not be populated.

Can you send data in one workflow as a parameter to another workflow?

You never know where an investigation might lead. If you start with one type of analysis using, let’s say, your Windows Threat Research workflow, only to find out that you really need to be digging into network activity, you can change your approach. Simply click on the relevant data in your search results to send it as an input parameter to another workflow.