What are the top 5 searches you have automated or would like to automate in Graylog?
Please share your thoughts below 
What do you mean by “automating searches”?
@jtkarvo that could be every “saved search” or search that you are do at least once a day. Like you search for the browser agents in your web server log files and build quick values from that.
- Security focused searches, like looking for people trying to send tags, or sql queries. Then if I find anything, I then look for all the traffic from that person.
- 200’s/404’s over time
- java exceptions
- PHP fatal errors
-
WebServer
Top IPs with # of hits -
OS
Top IPs/users with failed login attempts
Top ports accessed -
Network Device
Top SNMP Traps received
- Failed logins by IP, Computer, User from AD and Exchange, ADFS
- VDI Session Usage
- Web Browser type, codes
- Source IP Maps
- Exchange Message Tracking top senders, recipients
- WebServer and proxy (apache & Squid, top web sites, denied, httpd_status, duration_usec, …)
- Mail infrastructure (Postfix, Cyrus)
- Identity: openldap & AD & workflow rules (users, groups, workstations, audit, etc)
- Freeradius (Top users, etc)
- Network Device & DHCP/DNS servers
I would really like to automate a way to correlate all IPs that are involved in an access denied, or too much access in the last day/week with common threat intelligence DB (hopefully can do this soon with the threat intelligence plugin)