Introduction to Views
See More with Better Views
The ol’ 80/20 rule: about 80% of the time you are running the same analyses over and over again, especially if you are an MSP, MSSP, or MDR. Whether you’re trying to track down a particular user session to figure out what went wrong or you were alerted to a potential threat and need to explore what is going on with a certain IP address, you run the same search queries over-and-over again, then drill down from there based on the results.
Instead of having to set up and maintain complex workflow rules, or write pages of queries to feed to an API, Graylog offers you Views. All your regular searches and visualizations for a particular type of analysis on one page, initiated by input variables (session ID, IP address, user ID, etc.). From there it’s easy to explore your data and find the answers you are looking for.
Unlike dashboards, Views are based on variable inputs so they easily adapt and change to each situation. Best of all, they can be easily saved and shared to create consistency and save time across all the analysts in your organization.
How It Works
Views are really a collection of extended searches and can incorporate multiple tabs for your more complex analyses, or just to keep yourself organized. Building, using, and updating Views is extremely fast and easy in Graylog--no need to write multi-page queries in a specialized UI or to feed to an API.
Simply start by creating an extended search. Here you can set time parameters, use boolean operators, and specify which streams to target (this helps keep search results lightning-fast), and then decide if you want the output as raw data, aggregated data, a chart, a map, simple count, or statistics. And then just save the search as a view.
From there you can add more extended searches to a View and set up initialization parameters for a wizard-like experience. Working with Views, you can easily change the initial search parameter and drill down on the charts and tables. Best of all, it’s just a quick click to share your Views with other Graylog users.
Tracking authentications across multiple platforms is a natural fit for Views as you can filter multiple streams with the userid. Imagine the operations team using a shared View where they can see the successful authentications, lock-outs, and failed authentications for your primary IAM, VPN, EDR, and SAML gateway all in one place by entering a single parameter.
Network operations teams will be able to easily leverage Views for tracking user or workstation movements. Need to investigate wireless DHCP usage? Enter a MAC address, and the relevant workstation information can be populated from AD, DHCP, and NAC/wireless.
Need to audit AD? You can use a View that pivots around group membership and group creation. Views support multiple parameters, so building tabs that cover both Users and Groups would follow nicely.
Compliance Views can use parameters to track users or devices that are bridging the Trust/Untrust gap, or devices that are at risk of mixing auditable data with “out of scope” data.
Frequently Asked Questions
Do Views replace Dashboards?
They are very similar in concept - lots of data and visualizations from throughout your environment all in one place, completely customizable to display exactly what you care about. However, dashboards are a bit more static and are meant for regular review of the key data and metrics you are responsible for. Views, on the other hand, greatly speed up the process of doing research into a particular performance or security issue.
How many parameters can you set?
Unlimited, but we recommend keeping it to just one and no more than 3. After that you’ll be creating such complex queries that you’re unlikely to return any data, let alone meaningful data.
Can I save or export the current View state?
Yes, you can save the state of the View, and also share the View with any other user of Graylog to ensure everyone is looking at the same thing.
How do I integrate custom visualizations?
Views are more for troubleshooting and threat hunting research scenarios, so custom visualizations like we have in dashboards and search would be pretty uncommon. If needed, you should be able to write a plugin.
Will a View work if the user is allowed access to only some of the Streams used by the View?
Yes, the View will continue to work, but depending on the streams that the user has access to, some of the widgets and fields might not be populated.
Can you send data in one View as a parameter to another View?
You never know where an investigation might lead. If you start with one type of analysis using, let’s say, your Windows Threat Research View, only to find out that you really need to be digging into network activity, you can change your approach. Simply right-click from the data in your first View to send it as an input parameter to another View.