Announcing Graylog Illuminate 6.1

GRAYLOG ILLUMINATE 6.1

Released: 2024-11-21

 

Added

• Sysmon: Added user_name parsing for event_code 16 (2309)
• Sophos: Added support for new firewall file names (2508)
  • Sophos changed the field names vendor_packets_sent and vendor_packets_received in firewall logs. Renamed vendor_dst_mac to destination_mac.
• Bitdefender: Bitdefender GravityZone Content Pack (2362)
  • Bitdefender GravityZone is an enterprise security solution offering centralized management for endpoint protection, network security, and cloud security. It consists of about 45 modules.
• MS365: Added additional vendor_event_action’s to lookup. (2157)
  • The addition of numerous vendor_event_action’s to the related lookup will allow other fields to be populated where info exists. Other fields being vendor_event_category, gim_event_type_code, and vendor_event_description.
• MS365: Added GIM categorization for additional DLPEndpoint file related events. (2254)
• MS365: Process role assignment and removal events (2483)
  • This change processes the MS365 role removal and assignment events. The roles assigned/removed will be extracted to the fields privilege_added_name, privilege_added_id, privilege_removed_name, privilege_removed_id
• Sophos: Added Sophos stream to dashboard scope (2500)
• Windows: Categorize Security Event ID 4703, 4704, 4705 as privilege added and privilege removed (2532)
• Cloudflare: Cloudflare Content Pack (2363)
  • Cloudflare is a web infrastructure and security company that provides services such as content delivery, DDoS protection, internet security,  and domain name server (DNS) solutions to enhance website performance and protect against cyber threats.
• Sysmon Spotlight: Added support for EventID 28/29. (1554)
• Ubiquiti UniFi: Added parsing for kernel logs noting received packets with identical addresses. (2475)
• Compliance: Add privilege changes to Compliance Spotlight dashboard (2542)
• Sophos: Added event_action parsing for Events (2515)
  • Some event_types Events include an action. Adding parsing for failed login attempts.
• MS365: Added a Security Posture Management tab to the Office 365 Overview spotlight. (2318)
  • The Security Posture Management Overview tab includes assessment and regulatory compliance information which details your environment security posture.
• Windows: Process privilege token assignments in windows using the privilege fields (2519)
  • Process security tokens in Windows event logs using privilege fields. Windows Security event log messages that list security tokens will now use the fields privilege_assigned_name, privilege_removed_name, and privilege name based on the event. Additionally an enrichment has been added to define privilege category (privilege_assigned_category, privilege_removed_category, privilege_category) which will assign the value ‘elevated_privilege’ to identify tokens which allow an account to perform sensitive system activities.
• Sophos: Added categorization for HTTP logs and added parsing according to the Graylog schema (2422)
  • Sophos logs with the event component HTTP are now categorized as network network.connection and http.default. Firewall Authentication logs for failed logon are categorized as authentication.logoff. Blocked appliance logs are categorized as authentication.logon Changed fields from http_uri to http_request_path, vendor_http_status to http_response_code, vendor_http_user_agent to http_user_agent, vendor_con_id to connection_id.

 

Fixed

• MS365: Updated user_name parsing and added user_domain extraction. (2321)
  • User names formatted as user-at-domain.com or DOMAIN-backslash-USER will now extract the user_name and user_domain as separate fields.
• Postfix: 12-postfix_event_created_normalization rule can’t handle extra space (2414)
  • Update the event_created extraction logic for Postfix. The pack will now attempt to parse multiple date formats. In order to prevent indexing errors related to unexpected date formats in event_created it will now perform the initial extraction of the date field as vendor_event_created, then the pack will attempt to parse this date field and assign the value to event_created. If it is unable to then vendor_event_created will be indexed as a keyword type field which will not prevent indexing of the message, but this field will not be able to be used in ranged searches.
• MS365: Group names are extracted as o365_group_name_new or o365_group_name_old but context is missing (2413)
  • Removed these fields for IAM events where only one or the other exists, in that case they are assigned to the field group_name.
• Cisco ASA: Fixed parsing and categorization for 113004, 113005, 113006, and 113007. (2400)
  • Added categorization for 113004 and 113005 (authentication.logon) and changed parsing host_ip/host_hostname to source_ip/source_hostname.  Changed categorization for 113006 from authentication.logon to authentication.logoff.  Changed categorization for 113007 from authentication.logon to account.unlocked and changed parsing from vendor_admin_user_name to source_user_name.
• MS365: AzureAD/Entra ID ExtendedProperties User Agent Field Extraction (2269)
  • The http_user_agent field extracted from AzureAD/Entra ID logs is now extracted as a single string capable of being processed by additional functions.
• MS365: Entra ID Sign-In Failures and Reason by Top 5 Users Widget Fix (2506)
  • The group by column field associated with this widget has been updated to vendor_event_action which better represents the intent of the widget.
• MS365: user_name field is value list for IAM group change events (2411)
• Crowdstrike: Fixed issue with spotlight by removing unsupported dependency. (2574)

 

Changed

• NGINX: Scope dashboard widgets to NGINX Messages stream. (2450)
• Fortigate: Changed dashboard widget times to 1hr. (2197)
• Cisco ASA: Scope dashboard widgets to Cisco ASA Messages stream. (2433)
• Sysmon: Scope dashboard widgets to Sysmon Messages stream. (2505)
• Snort IDS: Scope dashboard widgets to Snort IDS Messages stream. (2496)
• Checkpoint: Scope dashboard widgets to Checkpoint Messages stream. (2484)
• Watchguard: Scope dashboard widgets to Watchguard Messages stream. (2512)
• Ubiquiti Unifi: Scope dashboard widgets to Ubiquiti Unifi Messages stream. (2510)
• Okta: Scope dashboard widgets to Okta Messages stream. (2453)
• Windows Security: Scope dashboard widgets to Windows Security Messages stream. (2513)
• Juniper SRX: Scope dashboard widgets to Juniper SRX Messages stream. (2437)
• Stormshield: Scope dashboard widgets to Stormshield Messages stream. (2501)
• Zeek: Scope dashboard widgets to Zeek Messages stream. (2518)
• MS Defender AV: Scope dashboard widgets to MS Defender AV Messages stream. (2488)
• Fortigate: Forward subtype logs now categorized as network connections. (2236)
• Linux Auditbeat: Scope dashboard widgets to Linux Auditbeat Messages stream. (2439)
• Sonicwall: Scope dashboard widgets to Sonicwall Messages stream. (2498)
• AWS Security Lake: Scope dashboard widgets to AWS Securtiy Lake Messages stream. (2430)
• Sophos: Reducing Graylog license utilization for Sophos (2490)
  • Message field is now shortened to avoid data duplication. Deleted fields related to ports and packets if their value is 0.
• Unifi Spotlight: Updated the time range for all spotlight widgets to 1 hour. (2417)
• Pfsense: Scope dashboard widgets to Pfsense Messages stream. (2493)
• Powershell: Scope dashboard widgets to Powershell Messages stream. (2494)
• Palo Alto: Scope dashboard widgets to Palo Alto Messages stream. (2455)
• Meraki: Scope dashboard widgets to Meraki Messages stream. (2442)

 

Let us know what you’d like to have included in our GitHub issue tracker.