IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
Dim soc cybersecurity center explainable ai unified threat dashboard
#
SIEM
#
Cloud Security
#
Advanced Persistent Threat Protection

Graylog adds explainable AI to speed security response

Thu, 19th Mar 2026
Author image
By Catherine Knowles, News Editor

Graylog has unveiled new explainable AI and automated investigation capabilities for its security information and event management platform, aimed at security teams with limited staff.

The updates are designed to prioritise alerts, speed up investigations and reduce manual documentation. They include a new threat prioritisation engine, AI-assisted investigation workflows and a natural-language query server that links external large language models to data inside Graylog.

"Lean security teams don't have the luxury of analyst bench depth or months of automation tuning", said Andy Grolnick, CEO of Graylog. "Every capability we are showing at RSA is designed around the same principle: rapidly detect, decide, and document from one command centre, so analysts spend time on real threats, not busy work."

Threat prioritisation

A central addition is a threat prioritisation engine that groups related alerts and suppresses what Graylog describes as noise. It uses entity context, asset criticality, vulnerability data and intelligence from active threat campaigns.

Alert fatigue remains a common problem for security operations teams, particularly when a small number of analysts must manage large volumes of logs and alerts. Vendors across the security market have been adding automation and AI-driven filtering to reduce time spent on triage.

Graylog's approach combines multiple signals into a single view of related events. The system links alerts based on assets and entities, then uses risk and vulnerability information to prioritise them.

Investigation automation

Graylog is also adding context-aware incident response workflows that automate evidence collection and orchestrate steps across an investigation. AI summarisation converts gathered evidence into step-by-step response recommendations.

According to the company, the approach can reduce investigation time by up to 50% compared with manual methods. The workflows emphasise a clear chain of evidence and a documented investigation record, which many organisations require for audits and post-incident reviews.

Automated collection and summarisation have become common areas of investment for security vendors. For buyers, a key question is how much control remains with analysts, and whether automated outputs can be explained and reviewed.

Conversational queries

Another addition is an open MCP Server that connects compatible large language models to Graylog data using the Model Context Protocol. The server supports natural-language prompts that query security data and trigger actions inside the platform.

Examples include asking for assets with rising risk scores linked to open investigations, summaries of MITRE ATT&CK techniques observed in failed login activity, and creating new investigations based on selected alerts.

The MCP Server is available at no additional cost across Graylog editions, including Open, Enterprise and Security. Access is governed by each user's licensed functionality and role-based access controls.

The move reflects a broader push in security operations towards conversational interfaces. Many security tools now offer chat-based querying and summarisation as a way for analysts to navigate complex environments faster. Interoperability across models has also become a purchasing consideration for organisations seeking flexibility in AI suppliers and deployment choices.

Agentic workflows

Graylog also described how customers are building agentic AI workflows on top of the MCP Server. Examples include automated triage agents that correlate Graylog alerts with data from identity providers, endpoint detection and response tools, and other systems. Graylog also highlighted compliance reporting agents that map detection coverage against frameworks such as MITRE ATT&CK, PCI and NIST.

Other examples include false-positive analysis agents that compare events with historical patterns and generate tuning recommendations, and event procedure agents that generate context-specific response steps based on gathered evidence.

Graylog says these agents operate within existing role-based access controls and are designed to maintain transparency, traceability and compliance. Analysts remain responsible for decisions that require human judgement.

Next release

Graylog also outlined a Spring 2026 release for Graylog Security, version 7.1. The update adds risk-triggered automated investigations: when an asset risk score exceeds a defined threshold, the platform automatically opens an investigation, attaches supporting signals and generates AI-recommended next actions.

The company's roadmap indicates a stronger focus on the point where detection turns into structured casework. For many teams, that handover can create delays, particularly when evidence collection and documentation rely on manual steps and ticketing systems.

Grolnick positioned the new capabilities as a response to staffing constraints in security operations.

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Testlio launches AI chatbot testing service amid scrutiny
Cyber insurance now common among North American SMBs

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment