Announcing Graylog Illuminate v7.0

ADDED

• Symantec Proxysg: Added alert_severity_level mapping based on event_action where applicable. (419)
• Checkpoint FW: Added support for additional vendor_event_action values, important ones being encrypt and decrypt. (2917)
  • Additionally, restructured EXISTING vendor fields to better align with log output for existing action/outcome related fields: vendor_event_outcome is now vendor_event_action, vendor_event_outcome_reason is now vendor_event_action_reason, vendor_event_action is now vendor_event_operation.
• Bitdefender GravityZone: Added support for New Extended Incident logs. (3059)
  • Added basic parsing for RPC formatted GravityZone logs for a possible future extension. A matching RPC GravityZone Push input does not exist, but parsing can be tested via filebeat.
• Windows Security: Added support for status code 0xC0000413 – STATUS_AUTHENTICATION_FIREWALL_DENIED (2836)
• Microsoft IIS Content Pack (1067)
  • Microsoft IIS (Internet Information Services) is a flexible, secure, and manageable web server developed by Microsoft for hosting websites, web applications, and services on Windows. It supports HTTP, HTTPS, FTP, FTPS, and more, and integrates tightly with ASP.NET, Windows authentication, and the broader Windows Server ecosystem.
• AWS Kinesis Content Pack (3076)
  • Amazon Kinesis is a managed AWS service for real-time data streaming that lets you collect, process, and analyze large streams of data continuously. It’s commonly used for analytics, log ingestion, and event-driven applications requiring near-instant processing. This pack parses and categorizes AWS VPC Flow logs via AWS Kinesis. Support for other log types might be added later.
• 1password Content Pack (2993)
  • 1Password is a secure password manager and secret vault used to store and manage credentials, API keys, and sensitive information. It uses strong encryption to protect data, supports secret references for easy retrieval, and ensures sensitive values are never exposed in plain text. By centralizing secrets, 1Password improves security, reduces the risk of leaks, and simplifies credential management.
• Cisco Business 350 Series (CBS): Cisco Business 350 Series Content Pack (2263)
  • The Cisco Business 350 Series Switches are managed Layer 3 network switches designed for small and medium-sized businesses, offering advanced features like VLAN segmentation, static routing, and enhanced security in a simple, intuitive interface.
• F5 BIG-IP: Added a Content Pack that supports the AFM and ASM module. (1137)

 

FIXED

• NetFlow: Fixed IPFIX message identification and added support for different set fields. (2851)
• Bitdefender: Fixed wrong input name. (3115)
• Cisco ISE: Modified base extraction regex to make syslog header info optional. This will allow sending to a syslog or raw tcp input. (3004)
• Symantec ProxySG: Moved alert_severity_level lookup data to its own .csv to address lookup complaint of duplicate values. (3125)
• Linux Auditbeat: Corrected issue mapping vendor_event_type: changed-promiscuous-mode-on-device. (2928)
• Cisco ISE: Fixed CmdSet parsing so the full command is returned as vendor_cmdset, dropping CmdAV and CmdArgAV. (3019)
• Bitdefender GravityZone: Fixed wrong search path in the New Incidents Count widget. (3007)
• Curated Alerts: Improved rule: Illuminate – Windows Security – Active Directory Database Snapshot Via ADExplorer (2583)
  • The detector now covers execution of the 64-bit variant of ADExplorer to create database snapshots.
• Core DNS Processing: Fixed filter causing inconsistent results in the dashboard. (2675)

 

CHANGED

• NetFlow: Changed NetFlow IPv4/IPv6 renames and field types. (3074)
• Cisco IOS: Streamlined identification rule logic to be more efficient. (2823)
• Powershell: converted the use of multiple grok patterns per rule to use multi_grok (2669)
• Microsoft Defender Antivirus: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2563)
• Snort: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2567)
• Stormshield: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2559)
• Palo Alto: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2564)
• Postfix: converted the use of multiple grok patterns per rule to use multi_grok (2667)
• Meraki: converted the use of multiple grok patterns per rule to use multi_grok (2668)
• SEPM: converted the use of multiple grok patterns per rule to use multi_grok (2673)
• Palo Alto: Renamed spotlight title (2824)
• Sophos Firewall: converted the use of multiple grok patterns per rule to use multi_grok (2671)
• Sonicwall: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2553)
• Schema: Modified index templates to copy hash related fields to associated_hash. (1940)
  • Prior to this change, Illuminate only supported a number of common hash fields (hash_md5, hash_sha256, etc.) as part of the schema. Because hashes can be related to multiple types of sources (files, processes, etc.), a dynamic field mapping has been added that will copy any hash field (process_hash_, process_parent_hash_, file_hash_*, hash_md5) to associated_hash. This will provide additional context to all hash objects.
• Cisco Meraki: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2557)
• Symantec Endpoint: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype anomaly from alert to detection. (2561)
• Palo Alto 11: Updated colors for widgets that reference event_action to reflect schema. (687)
• Fortigate: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as virus, anomaly, and ips from alert to detection. (2376)
• AWS Security Lake: Changed gim_event_category from alert to detection (2314)
  • The dashboard now supports gim_event_categories alert and detection. The event codes 200100, 200101, 200102, and 200199 changed the gim_category from alert (179999) to detection (309999).
• Microsoft Defender Endpoint: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype virus from alert to detection. (2971)
• Microsoft 365: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as dlp and anomaly from alert to detection. (2565)
• Bitdefender Telemetry: Change GIM code for network events. (2950)
  • GIM codes for network events updated from 129999 (default) to 120200 (open) and 120300 (close) events.
• Illuminate: Disabled dynamic date detection for all Illuminate indices (3008)
  • Dynamic date detection, enabled by default in OpenSearch, has lead to numerous reports of mapping errors due to a race condition with fields that do not use consistent formats, or even values. This change disables that behavior and makes it so that any date field must be explicitly mapped by the Illuminate index mapping templates.
• Sophos Firewall: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as virus, ATP, components anomaly, and signatures from alert to detection. (2558)
• Cisco ASA: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as ips, malware, AMP verdicts, and file inspection from alert to detection. (2374)
• Okta: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype anomaly from alert to detection. (2441)
• Pfsense: Standardized gim_event_type_code mappings to align with detection categories. Reclassified event types such as snort, suricata, and sshguard attack from alert to detection. (2566)
• Checkpoint: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ips from alert to detection. (2315)
• Linux Auditbeat: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype violated-apparmor-policy from alert to detection. (2377)
• Zeek: Changed DNS request categorization to exclude NBSTAT. (2618)
• Symantec SES: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2562)
• Symantec EDR: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as reputation, ips, sonar, antivirus, sandbox, and ioc from alert to detection. (2560)
• Crowdstrike: Standardized gim_event_type_code mappings to align with detection categories. Reclassified default from alert to detection. (2399)
• Core: Support MITRE ATT&CK Enterprise attacks_technique_uid & attacks_tactic_uid string values (1711)
  • MITRE ATT&CK Enterprise attacks_technique_uid & attacks_tactic_uid field values will now be enriched if their values are multi-value or strings. Previously, the enrichment only handled multi-value data.

 

REMOVED

• o365: Removed redundant type assignment in 22-o365_scc_categorize_alerts rule. (2957)
• Bitdefender GravityZone: Removed a possible leading forward slash for the source field. (3058)
  • The input creates a forward slash if the hostname is empty and will attach it to the IP. This fix removes the added forward slash.
• Compliance Content: Removed deprecated ‘Compliance Content Spotlight (Deprecated)’ spotlight. (2959)

 

DEPRECATED

• Palo Alto 9.1x: The Palo Alto 9.1x Spotlight and associated processing content have been deprecated.
  Support for version 9.1x will be discontinued and the content will eventually be removed from Illuminate.
  Users should transition to the Palo Alto 11 Content Pack, which includes updated Spotlight content.
  (2716)

 

Let us know what you’d like to have included in our GitHub issue tracker.