Today, we’re excited to announce a new and improved Logbot, Gravwell’s AI-powered security data assistant, as part of Gravwell v5.9. The release adds deeper platform integration, faster natural-language investigation workflows, instant playbook and automation generation, and bidirectional AI integrations through MCP. These upgrades bring AI-driven assistance directly into daily workflows, helping practitioners get to answers faster and do more with complex security data.
Security data is the backbone of today’s security operations, but using it effectively at scale is a resource-intensive, time-consuming challenge for even the most seasoned practitioners. At the same time, the domain expertise required in SecOps creates a steep barrier for junior analysts to be impactful, making it no surprise that teams are turning to AI for support.
Logbot is Gravwell’s answer to those challenges, helping teams work through complexity faster and with less reliance on specialized expertise. Think of it as an embedded security guru that combines the capabilities of an engineer, architect, and analyst in one assistant to help users query, interpret, and act on security data faster.
Logbot works with knowledge of your environment and knowledge base, along with broader security best practices, to help with tasks like query writing and working with frameworks such as OCSF. Writing accurate, meaningful queries, translating between query languages, or simply asking questions about your data or Gravwell cluster is as easy as using a natural language prompt. The result is a democratization of knowledge across the organization that drives better understanding, less manual effort, and a major boost in analyst productivity.
Here’s what to expect from the latest Logbot release:
Deep Platform Integration:Logbot connects directly to live Gravwell systems via API and embeds into customer workflows through a natural chat interface. That means users can ask practical questions about their environment, such as “How is my cluster doing?” or “Where can I find this tag?”, and get instant answers without digging through menus, documentation, or raw data.
In this example, a customer asks Logbot to perform an audit of scheduled searches and alerts to make sure they’re executing properly, in sync, and as expected. Logbot identifies enabled jobs that are not actually running, and surfaces the issue in a clear findings table that includes searches with a “Last Run” of never despite being enabled.
Here, Logbot checks scheduled searches and alerts, then flags critical issues where expected jobs are not actually running.
After checking available flows and alert configuration requirements, Logbot enables the alert and scheduled search, confirms the consumer and schema details, and reports that both are now active.
Logbot validates the dependencies needed to turn on alerting, enables the critical alert, then enables the scheduled search and confirms both are successfully running.
Efficiency Gains: Logbot helps bridge the gap between raw data and understanding. It turns raw logs into actionable answers that speed up triage, reduce time spent searching for context, and help analysts respond with greater confidence. Logbot also generates playbooks and automations instantly, eliminating manual effort and reducing the need for deep technical expertise.
In this example, a customer asks Logbot to create a full “Storage Expansion Action Plan” playbook with monitoring guidance and utilization thresholds.
Logbot converts a simple request into a formal storage expansion playbook with decision criteria and operational guidance.
The user’s natural language prompt results in a structured playbook that recommends how to monitor storage growth and when to start planning for expansion, including utilization context, monitoring objectives, key metrics, and a recommended review schedule.
The playbook captures current storage utilization, defines what to monitor, and outlines how to plan for future expansion.
Logbot can also boost efficiency by quickly building, refining, and running queries to accelerate investigations, including translating queries from other query languages. This reduces reliance on query language expertise and shifts the focus from “how do I query” to “what do I want to know?”
Users can use natural language prompts to translate queries from any query language into Gravwell query language or reconfigure queries to fit frameworks such as OCSF. In this example, Logbot uses saved search context to create a query for “User logged in” events and chart login counts over time that the user can copy and paste. This handy capability saves time and helps level-up more junior analysts who are not yet fluent in the query language.
A natural-language prompt becomes a working Gravwell query that tracks user logins and visualizes them in a time-series chart.
AI Tool Integration: Logbot functions as both an MCP server and MCP client, enabling bidirectional AI integrations across the security stack. In practice, that means teams can query Gravwell from other MCP-enabled tools or bring data from those tools into Gravwell to enrich investigations in one place.
Logbot querying Gravwell through an MCP-enabled AI tool to check cluster health in plain language, showing how teams can bring live security platform context directly into their AI workflows.
Logbot data is private and local: Logbot is based on Gravwell’s proprietary models and uses your internal data and knowledge base within your environment, ensuring sensitive information remains private and local. It operates within your environment, so sensitive security data never needs to be exposed to external systems or third-party models. This allows teams to confidently adopt AI while maintaining full control over their data, access, and compliance requirements.
Conclusion
Logbot helps teams move from raw data to real answers faster, with less manual effort and less reliance on specialized expertise. By combining deep platform integration, natural language interaction, and private deployment within your environment, it gives practitioners a more accessible and efficient way to investigate, automate, and understand their security data. The new Logbot is another step toward making security operations faster, smarter, and easier to scale.
Learn more about Logbot here, and take a deeper dive into Logbot on our docs page here.