Announcing Graylog Illuminate 6.0

GRAYLOG ILLUMINATE 6.0

Released: 2024-10-21

Added

• Google Workspace: Google Workspace Content Pack (2064)
  • Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet, Chat, Drive, and Google Docs.  Admin related logs are included.
• Graylog Compliance: Add remote access dashboard (2342)
• Windows Security: Added parsing for Event ID 5379 (2170)
• Cisco Umbrella: Added support for Cisco Umbrella (2066)
  • Cisco Umbrella is a cloud-delivered security platform that provides threat intelligence, secure access, and protection against internet-based threats.
• Added Curated Alerts – Webserver (2235)
  • Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team’s findings.
• Windows Security: Added parsing for Windows Event ID 5145 (728)
• Windows Security: Added support for Event ID 4660 and 4658 (2216)
• Illuminate: Added Open edition bundle (2300)
• Added Curated Alerts – Linux (2241)
  • Adds a spotlight pack containing Sigma-formatted Linux alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team’s findings.
• Windows Security: Added support for Windows Event ID 4656 (1973)
• Curated Alerts: Remote Desktop From Internet: added 172.22.x range and fixed GIM field (2212)
  • Renamed non existing GIM field from source_is_reserved to existing GIM field source_reserved_ip
• MS365: Added processing of Endpoint subtype events (2108)
  • Added processing for MS365 Endpoint file events: “FileModified”, “FileCreated”, “FileDeleted”, “FileRenamed”, “FileDownloadedFromBrowser”, “ArchiveCreated”, “DlpRuleMatch”, “FileRead”, “FileCopiedToRemovableMedia”. This includes field extraction, categorization, and updating the message field with a brief event summary.
• Core: Added 16 new sigma mappings (1292)
• Linux System Logs: Initial technology pack (2217)
  • Linux is a widely-used, open-source operating system that powers everything from servers and  cloud infrastructure to desktop systems and embedded devices. For its initial release, this  technology pack supports common Syslog and auth logs from Debian/Ubuntu distributions.

 

Fixed

• MS365: CompliancePostureManagement events not being processed  (2302)
• Curated Alerts: Improved rule: Illuminate – Windows Security – Remote Desktop From Internet (2246)
  • Changed the source_reference field in this sigma rule to source_ip field to reduce the number of false-positives.
• Fortigate: Fixed wrong event_action mapping (2327)
  • The event_action for server-rst and client-rst set to allowed. The field utmaction was set to vendor_event_action, but changed to vendor_utm_action.
• Crowdstrike: Content and spotlight improvements (2140)
  • Revamped our Crowdstrike Falcon dashboards to improve alert focus, expanded coverage for additional alert subtypes,  and resolved the misidentification of API events as authentication events, resulting in more accurate and comprehensive alert tracking.
• MS365: Fixed logic for pipeline rule execution related to setting the message field. (2289)
  • Pipeline processing order logic was preventing the message field from being properly set.
• MS365: source_port no longer set to 0 when no source port exists in source JSON (2270)

 

Changed

• Windows Security: Change Request-Add remote_access GIM tag for RDP sessions (2332)
• MS365: Replaced occurrences of vendor_event_type with vendor_event_action in Spotlight (2274)
  • Changes to processing now rely on vendor_event_action; vendor_event_type is now considered a legacy field.
• Palo Alto: Add GIM tag remote_access for Global Protect logs. (2340)

 

Let us know what you’d like to have included in our GitHub issue tracker.