Graylog Announces Spring 2026 Release with Automated Investigations and Behavioral Detection

HOUSTON--(BUSINESS WIRE)--Graylog, the AI-powered SIEM built for lean security teams, today announced the general availability of Graylog 7.1. The Spring 2026 release delivers two capabilities lean security teams have struggled to get from a single platform: behavioral detection that catches what rules miss, and investigation workflows that remove manual case assembly entirely.

"Lean security teams do not need more tools," said Andy Grolnick, CEO of Graylog. "Graylog 7.1 brings detection, triage, and documentation into one place so analysts spend time on real threats, not busy work."

Investigations that build themselves

When an asset's risk score crosses a configured threshold, Graylog 7.1 automatically opens a complete investigation, attaching related events, alerts, and remediation procedures before an analyst touches the case. Additional updates to the investigation workflow include:

• Configurable Risk Thresholds by Asset Group lets teams set different risk thresholds by asset category. For example, when a privileged account crosses 50, an investigation builds itself. Standard users don't trip that wire until 75. This ensures different assets trigger the appropriate levels of urgency, enabling an appropriate automatic response.
• Consolidated Event Procedures surfaces every remediation step from every alert in a single list, so analysts follow one procedure rather than navigating individual alerts.
• Bulk Add Logs to Investigation lets analysts add multiple log messages to a case in one action, cutting evidence collection from minutes to seconds.
• New Context Sidebar follows along with analysts, providing key details, investigation guidance, asset context, and more to further reduce response times.

Detect threats that rules miss

Graylog 7.1 ships native behavioral anomaly detection with expanded capabilities and more flexibility in Machine Learning and customization:

• Impossible Travel Detector flags credential compromise by identifying users appearing in geographically impossible locations that static rules would not detect.
• Log Volume Detector catches spikes or drops in log volume signaling exfiltration, misconfiguration, or source failures across security and IT operations monitoring.
• Sigma Rules from Private Repos lets security engineers pull detection content directly from private GitHub, GitLab, or Bitbucket repositories with full version control, making detection-as-code a standard workflow.

Infrastructure that keeps up

For IT operations and infrastructure teams, Graylog 7.1 adds dynamic shard sizing that eliminates manual cluster tuning, and native Azure Blob Storage support for archive, warm tier, and Data Lake — making fully Azure-native log management a standard deployment, not a workaround.

"Every capability in 7.1 started with the same question: where is analyst time actually going, and can Graylog take that off their plate?," said Seth Goldhammer, VP of Product Management. "Across detection, triage, reporting, and infrastructure, the answer is yes. We did not build features. We removed friction."

Graylog 7.1 is available now across Graylog Security and Graylog Enterprise. Release notes and a full feature list are at graylog.com. To see Graylog 7.1 in action, visit graylog.org/see-demo.

About Graylog

Graylog is the AI-powered SIEM and centralized log management platform that transforms noisy data into clear insights. It helps security and IT teams detect and investigate threats faster with explainable AI that summarizes dashboards, prioritizes risks, and automates workflows — without losing human control. Graylog is trusted by 60,000+ organizations worldwide.

Learn more at graylog.com or connect with us on Bluesky and LinkedIn.